Promotion Engine

Security checks across malware telemetry and agentic risk

Overview

This is a local retail discount calculator with some accuracy caveats, but it does not show hidden access, persistence, credential use, network activity, or destructive behavior.

Reasonable to install for local promotion calculations. Before using it for customer-facing pricing, verify the knowledge-base data and be aware that the helper script may ignore SKU/category applicability and exclusions unless fixed or checked separately.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The code defines promotion applicability logic but never uses it when calculating discounts, so promotions can be applied to items or carts that should be excluded. In a retail pricing engine this can produce unauthorized discounts, policy bypasses, and incorrect totals driven entirely by crafted knowledge-base data or item selections.

Vague Triggers

Medium

Confidence: 77% confidence
Finding: Broad trigger phrases can cause the skill to be invoked in ordinary retail conversations where it lacks the necessary context or authoritative data. Unintended invocation increases the chance of hallucinated promotion advice or incorrect calculations being presented as definitive, especially because the skill is framed as always showing trustworthy 'calculation steps.'

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal