Security audit

Non-Technical Agent Quickstart

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned, with the main risk being that users may paste sensitive business communications into AI tools without enough privacy guidance.

Before installing or using it, avoid pasting confidential, regulated, customer, employee, financial, legal, credential, or trade-secret material into AI tools unless you have approval. Redact names, emails, account details, deal terms, and customer data, and check the AI provider's retention and training settings.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill repeatedly encourages users to paste emails, inbox contents, Slack messages, meeting notes, and investor/team updates into third-party AI tools, but provides no warning about confidentiality, personal data, trade secrets, or retention risks. In a business-founder context, this can expose sensitive customer, employee, financial, or contractual information to external services without informed consent or sanitization.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal