Charmie CRM Lite

Security checks across malware telemetry and agentic risk

Overview

This is a local contact-management skill, but it can change or delete CRM records with broad natural-language guidance and limited safeguards.

Install only if you are comfortable letting an agent maintain a local contacts database. Use explicit commands like "in Charmie CRM, search contact..." before update or delete actions, and keep backups for any important contact data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The invocation guidance is vague and broad, using examples like "Add John Doe" and "Search for Mike" without defining strict trigger boundaries or expected parameter structure. This can cause accidental invocation or ambiguous routing, which is risky in a CRM context because user utterances containing names or contact-like phrases may trigger unintended contact creation or lookup actions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal