Back to skill

Security audit

Bullseye — Find the One Traction Channel That Works

Security checks across malware telemetry and agentic risk

Overview

This sales automation skill is disclosed, but it pushes agents to start outbound campaigns, collect user data, and route users toward paid upgrades without clear permission gates.

Review carefully before installing. Only use this if you want an agent to operate an outbound sales system through Essentialist, and require explicit confirmation before registration, contact upload, campaign creation, email sending, track activation/resume, domain credential changes, or any paid upgrade.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation text uses broad, natural-language conditions such as 'how do we get customers', 'which channel should we use', and 'growth is stalled on distribution', which can overlap with many ordinary business or marketing conversations. In an agentic system, this can cause over-activation of the skill outside its intended niche, steering responses toward this framework when other skills or more context-specific reasoning would be more appropriate.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.