Back to skill

Security audit

Trustpilot Company Info

Security checks across malware telemetry and agentic risk

Overview

This skill mainly extracts public Trustpilot profile data, but it also instructs agents to bypass anti-bot controls using stealth browsers, proxies, and multiple fingerprints for higher-volume scraping.

Review carefully before installing. The data extraction script is narrow and does not show credential theft or destructive behavior, but the skill encourages bypassing Trustpilot anti-bot controls and scaling collection across stealth sessions. Only use it for authorized, low-volume lookups that respect site limits and terms; do not use the stealth/proxy or multi-fingerprint guidance.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the operator to switch to a stealth browser with proxy when anti-bot controls appear. That is an evasion tactic, not a simple public-data lookup step, and it encourages bypassing a target site's protective controls, increasing legal, compliance, and abuse risk.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The batch guidance recommends multiple stealth browser sessions with independent fingerprints to increase throughput. This operationalizes scaled scraping while avoiding per-session rate limits, which materially raises the risk of abusive collection and bypass of platform restrictions.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill includes advice for batch execution and multiple stealth sessions but does not clearly warn that this may trigger anti-scraping defenses or violate site usage expectations. Omitting that warning can mislead operators into treating evasive, high-volume collection as normal and low-risk.

Ssd 4

Medium
Confidence
94% confidence
Finding
Across the error-handling and efficiency sections, the skill progressively normalizes anti-bot evasion by recommending stealth browsers, proxies, and multiple independent sessions. In context, this makes the skill more dangerous because it moves from benign extraction of public page data into resilient scraping tactics designed to overcome defensive controls.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.