Back to skill

Security audit

Substack Newsletter Coach

Security checks across malware telemetry and agentic risk

Overview

This is a newsletter coaching prompt with no evidence of hidden code, credential use, persistence, or automatic external actions.

Install only if you want writing and newsletter-growth coaching. Treat its platform, pricing, and growth advice as guidance to review before acting, especially before changing paid subscriptions or migrating platforms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The manifest description includes many broad trigger phrases such as "substack," "newsletter," and "writer launch," which can match routine user conversation and cause the skill to activate outside its narrow intended scope. Over-broad activation is a genuine security and safety concern because it increases the chance this skill is selected in irrelevant contexts, potentially overriding a more appropriate skill or causing unintended disclosure or low-quality guidance.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.