Security audit

B2b Lead Generation

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only B2B lead-generation skill, but it should be reviewed because it directs social-graph mining, contact collection, and personality profiling of identifiable people.

Install only if you intend to run privacy-sensitive B2B prospecting and have a lawful basis for the data collection. Avoid scraping private or credential-gated data, inferred emails, phone collection, and personality or non-work-interest profiling unless explicitly approved and compliant with applicable rules; treat generated reports as sensitive personal-data files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill explicitly directs collection of recent posts, comments, interests, and inferred communication and decision styles to build personality profiles for named individuals. This goes beyond what is necessary for ordinary B2B lead qualification and creates privacy, profiling, and manipulation risks, especially because the outputs are then used to tailor persuasion and outreach.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The metadata description includes activation on broad phrases like 'Help me find customers' and 'Analyze competitors', which are common requests that can invoke the skill without clearly signaling that it will perform invasive lead intelligence and personal-data collection workflows. Overbroad triggering increases the chance of surprising users and launching high-risk data collection in contexts where the user did not intend or understand that behavior.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The Trigger Conditions section lacks activation boundaries, exclusions, or guardrails, despite the skill performing extensive monitoring, contact discovery, and connection mining. Without precise boundaries, normal user requests can escalate into sensitive reconnaissance and personal-data processing beyond reasonable expectations.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The skill standardizes output fields including LinkedIn URLs, work emails, phone numbers, personality profiles, and generated outreach content, but the user-facing description does not clearly warn that it will gather and infer personal contact data from public profiles and third-party tools. This lack of transparency materially increases privacy, consent, and compliance risk because users may unknowingly trigger personal-data collection and enrichment workflows.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal