Security audit

Fiverr Gig Optimizer

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Fiverr coaching skill, but it gives concrete advice for avoiding disputes and moving marketplace buyers to off-platform billing, so users should review it carefully before installing.

Install only if you are prepared to constrain its advice against Fiverr and other marketplace rules. Treat the off-platform billing, CRM/email-list, and dispute-avoidance suggestions as high-risk business advice, not automatically compliant guidance. The package does not appear to run code or access your machine, but its coaching content may lead users toward platform-policy violations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill explicitly advises using a partial-refund/dispute-avoidance tactic to preserve seller metrics rather than directing users toward compliant marketplace resolution. That crosses from legitimate optimization into enforcement minimization and can encourage manipulation of platform trust and dispute systems.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: This section goes beyond gig optimization and provides tactics for migrating clients off-platform, including timing and methods for direct billing and external list-building. That creates policy-evasion risk and can facilitate circumvention of marketplace protections, monitoring, and fee structures.

Natural-Language Policy Violations

High

Confidence: 90% confidence
Finding: The top-level description explicitly says the skill should be used to 'migrate clients off-platform,' which normalizes behavior that may violate marketplace no-circumvention rules. Embedding that objective in the skill metadata increases the chance the agent will proactively assist with policy-violating conduct.

Natural-Language Policy Violations

Medium

Confidence: 94% confidence
Finding: The instruction to push buyers toward partial refunds so they do not open disputes is advice for minimizing enforcement consequences rather than resolving problems transparently. This can undermine buyer protections and encourage agents to optimize around trust-and-safety controls.

Natural-Language Policy Violations

High

Confidence: 98% confidence
Finding: The skill gives concrete instructions to move repeat buyers to direct billing after 90 days and to build off-platform channels from marketplace customers. These are actionable circumvention tactics that may violate platform restrictions and reduce marketplace oversight and user protection.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.