Back to skill

Security audit

Consumer Insights

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only customer feedback analysis skill with overly broad business wording, but it does not install code, access files, use credentials, persist data, or perform hidden actions.

Install only if you are comfortable using it as a general analysis prompt. Provide the minimum feedback text needed, redact confidential business details, personal data, credentials, contracts, budgets, and regulated information, and treat any recommendations or generated plans as drafts requiring human review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill is described as analyzing user feedback text, but the documentation broadens it into generic market research, business operations optimization, strategic decision support, and process automation. This scope expansion can mislead users into supplying unrelated sensitive business data or relying on outputs beyond the skill's intended competency, increasing the risk of overcollection and misuse of data.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The input section asks for generic business context, documents, requirements, stakeholders, budgets, and regulatory details instead of specifically requesting user feedback text. This mismatch can cause unnecessary collection of sensitive or irrelevant information, creating privacy and data-minimization issues even if no explicit exfiltration behavior is present.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.