Back to skill

Security audit

Pipeline

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a plain sales-pipeline analysis helper with no evidence of hidden code, credential use, persistence, or data exfiltration.

This looks safe to install for sales pipeline review. Users should still be aware that broad phrases like asking to review a pipeline or identify deals needing attention may invoke it in normal sales conversations; review outputs before using them for forecasting or customer decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger "review my pipeline" is broad and could match ordinary user language without clearly signaling invocation of this specific skill. The manifest does not provide narrowing context, exclusions, or negative examples to distinguish when the skill should activate versus when a user is speaking more generally.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The phrase "what deals need attention" is conversational and broad enough to overlap with normal discussion, increasing the risk of unintended invocation. The manifest does not limit activation context or specify exclusions, so the trigger boundary remains ambiguous.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.