Competitor Analyzer

Security checks across malware telemetry and agentic risk

Overview

This is a coherent web-research skill, but its script has unsafe input handling that can let a crafted company name run local Python commands.

Do not install this version unless you are comfortable reviewing and fixing the shell script first. Use only public company names, avoid internal URLs or confidential targets, and replace the query encoding with a safe argument-passing pattern before running it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The script sends user-provided company or URL data to DuckDuckGo search endpoints without clearly warning the user that their input will be disclosed to a third party. This can leak sensitive investigation targets, internal hostnames, or nonpublic URLs if a user mistakenly supplies confidential identifiers, making the skill more risky because external search is implemented automatically and repeatedly across several queries.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal