Content Scorer

Security checks across malware telemetry and agentic risk

Overview

This marketing-copy scoring skill is coherent and purpose-aligned, but users should know normal scoring can send pasted copy to Anthropic if the local backend is unavailable.

Install only if you are comfortable using an Anthropic API key and possibly sending marketing copy or hooks to Anthropic during normal scoring, rewriting, or comparison. Use --demo and --compliance-only for no external call, and set LLM_BACKEND=local when you need local-only processing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill lacks a clear warning that premium mode transmits submitted marketing copy to an external API provider. Users may paste proprietary campaigns, customer data, or regulated content assuming local analysis, creating avoidable confidentiality and compliance exposure.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: User-supplied marketing copy is transmitted to Anthropic's external Claude backend in auto/haiku modes without an explicit user warning or opt-in at the point of transfer. This can leak confidential campaign drafts, customer data, or regulated content to a third party unexpectedly, especially because 'auto' silently falls back from local processing to the remote service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal