Security audit

Founder

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only startup consulting skill that gives business advice and reference lists without installing code, requesting credentials, or taking actions for the user.

Install this if you want startup and fundraising guidance to activate broadly on business-related prompts. Treat market sizing, valuation, legal, financial, analytics, and tracking recommendations as general advice; verify important numbers and add privacy, consent, retention, and data-masking controls before deploying analytics or session-recording tools.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Vague Triggers

High

Confidence: 95% confidence
Finding: The activation description is extremely broad and includes generic business terms such as 'market analysis,' 'business advice,' and many startup-adjacent keywords. This can cause the skill to trigger in conversations where the user did not intend specialized founder guidance, leading to context hijacking, degraded routing accuracy, and inappropriate advice being injected into unrelated tasks.

Natural-Language Policy Violations

Medium

Confidence: 87% confidence
Finding: The instruction to consider 'PIX, WhatsApp as a channel, market informality, price sensitivity, and local dynamics whenever the context is relevant' introduces a locale-specific bias without first establishing the user's geography or market. While not directly dangerous like code execution, it can skew recommendations, reduce relevance, and cause inaccurate strategic advice if applied to users outside that context.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The document recommends product analytics and session-recording tools such as PostHog, Hotjar, Microsoft Clarity, and Smartlook without any privacy, consent, retention, masking, or regulatory compliance guidance. In a founder-oriented skill, users may treat these recommendations as implementation advice and deploy invasive tracking by default, creating legal, reputational, and data-exposure risk if personal or sensitive user data is captured.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal