PopUp Organizer

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent PopUp organizer API helper, but it gives an agent account-changing business authority without built-in confirmation or privacy guidance.

Install only if you trust this PopUp API integration and are comfortable giving the agent a PopUp organizer API key. Use a revocable or least-privilege key if available, and require the agent to summarize the exact event, vendor, inquiry, quote, amount, and profile changes before any create, update, delete, cancellation, or quote-response call.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill exposes destructive operations such as canceling events without documenting any requirement for explicit user confirmation or a safety interlock. In an agent setting, this increases the risk of accidental or prompt-induced destructive actions that notify vendors and disrupt business operations.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill grants access to profile, invoice, inquiry, and account-related data but provides no privacy or data-handling warning. In an agent context, this can lead to over-collection, unnecessary exposure in chat output, or disclosure of billing and personal information to unauthorized viewers of the session.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal