AnalyticLunch

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward AnalyticLunch integration that uses the user's API key to read analytics data and create tracking links, with no hidden or deceptive behavior found.

Install this only if you are comfortable giving the agent access to your AnalyticLunch API key and analytics data. For safety, confirm before asking it to create tracking links, and use a revocable or scoped API key if AnalyticLunch supports that.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger phrases are broad enough to activate on ordinary discussion of website performance, which can cause the agent to invoke this skill unexpectedly and send user-related queries to an external service. In a plugin/skill environment, overbroad routing increases the chance of unintended data disclosure or confusing tool use without clear user intent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill includes a state-changing POST action to create tracking links but does not instruct the agent to obtain explicit user confirmation or warn that this modifies the user's AnalyticLunch account. This can lead to unauthorized or accidental creation of tracking artifacts, especially if the agent interprets an exploratory request as permission to act.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal