PhantomBuster

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward PhantomBuster command-line integration whose sensitive actions are disclosed and aligned with its purpose.

Install this only if you want your agent to operate your PhantomBuster workspace. Keep the API key in a trusted environment, rotate it if exposed, double-check agent IDs before launch or abort, and treat fetched CSV/output data as potentially sensitive scraped or lead data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The implemented fetch-result command expands the skill beyond the stated API-control scope by downloading result files directly from S3, including potentially sensitive scraped/exported data. Undocumented capability increases the chance that users or orchestrators invoke data-export behavior without proper review, consent, or policy controls.

Intent-Code Divergence

Low

Confidence: 84% confidence
Finding: The top-level command documentation omits the fetch-result command, creating a mismatch between declared and actual behavior. In security-sensitive agent ecosystems, undocumented functionality reduces transparency and can conceal data-handling capabilities from users and reviewers.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The setup instructions tell users to place a long-lived API key in an environment variable but provide no warning about secure storage, least privilege, shell history exposure, or avoiding accidental logging and sharing. Because this skill can control remote automation agents and access their outputs, mishandling the credential could let an attacker trigger automations, retrieve scraped data, or disrupt workflows.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The abort command performs a destructive remote action immediately, without confirmation or a dry-run/safety prompt. In an agent context, this can terminate active automations unexpectedly, causing operational disruption, incomplete jobs, or loss of in-progress work if triggered accidentally or by prompt manipulation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal