Security audit

Producthunt Launches

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Product Hunt scraping workflow, but users should understand it can collect public maker profiles, external links, website text, and email addresses.

Install only if you intend to automate Product Hunt scraping and collect public maker/contact information from Product Hunt and linked websites. Use narrow date or top-N limits, avoid unnecessary website/email enrichment, and be mindful of rate limits, consent, and applicable privacy or site rules.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The operational-boundary statement says the skill only reads data already displayed to the user on the page and frames behavior as limited to what a user can manually do in their browser. However, later instructions explicitly allow `stealth-extract {website-url} --content-type markdown`, which performs out-of-browser retrieval of third-party sites and goes beyond the stated browser-only/read-visible-page framing.

Context-Inappropriate Capability

Low

Confidence: 79% confidence
Finding: The manifest describes a Product Hunt scraping and enrichment workflow, but these lines add a separate capability to read and append execution-history notes in a local memory file. Persisting operational notes is not necessary to extract leaderboard, maker, or website contact data and is not justified by the stated end-user purpose.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The description lists broad applicability such as "startup launch monitoring," "new product discovery," and "maker/founder contact enrichment," which are not specific to Product Hunt scraping and overlap with common adjacent tasks. Because the trigger scope is embedded in a long free-form description without explicit exclusions or negative examples, the skill may activate in contexts beyond its intended narrow use.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The objective explicitly includes enrichment with maker profile information and website contact details, and later examples include email extraction from external websites. The markdown does not warn users that the skill may collect personal or contact information from third-party pages, which is relevant to privacy expectations and safe use.

VirusTotal

2/64 vendors flagged this skill as malicious, and 62/64 flagged it as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.