Back to skill

Security audit

ABM Outbound

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed outbound-marketing skill, but it walks users through collecting personal contact data and home addresses for coordinated outreach without enough privacy, consent, or opt-out guardrails.

Install only if you have a lawful basis to collect, enrich, and contact these prospects. Prefer business contact data, avoid home-address or personal-phone outreach unless explicitly authorized, use restricted vendor API keys, review recipients before upload, and confirm opt-out, suppression, retention, vendor-processing, and applicable marketing-law requirements before running campaigns.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly operationalizes collection and use of personal data across multiple channels: LinkedIn scraping, email/phone enrichment, skip-tracing for physical addresses, and downstream outreach. Without any privacy, consent, legal-compliance, retention, or user-warning language, it normalizes potentially unlawful or abusive handling of personal data and increases the risk of spam, stalking, harassment, and regulatory violations.

Missing User Warnings

High
Confidence
97% confidence
Finding
The outreach section provides concrete instructions for sending cold emails, LinkedIn messages, and handwritten letters to enriched recipients, including personalized messaging based on inferred or scraped data, but gives no warning about consent, opt-out handling, deliverability abuse, or physical-mail privacy implications. In this context, the skill is more dangerous because it converts aggregated personal data directly into coordinated contact campaigns, lowering the barrier to targeted spam or harassment.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This reference explicitly instructs collection of personal emails, phone numbers, and later home addresses for outbound targeting, but provides no privacy, consent, legal-basis, or data-handling safeguards. In the context of an ABM automation skill that coordinates multi-channel outreach and handwritten letters, this materially increases the risk of privacy violations, harassment, noncompliant processing of personal data, and misuse of sensitive contact information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.