Back to skill

Security audit

Security Intelligent Marketing

Security checks across malware telemetry and agentic risk

Overview

This is a finance-marketing guidance skill with broad triggers, but it contains only disclosed planning templates and no hidden access, code execution, credentials, persistence, or data transfer behavior.

Install this only if you want assistance drafting or analyzing financial marketing campaigns. Treat outputs as planning drafts, and have qualified compliance review any customer segmentation, investment-product claims, yields, rewards, SMS content, or advertising copy before use with real customers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list contains very broad and common terms such as 'content marketing', 'campaign design', and their Chinese equivalents, which can cause the skill to activate outside the user's intended context. In a banking and securities marketing skill, unintended activation is more concerning because it may steer conversations toward regulated financial promotion workflows without clear user intent.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
Marking Chinese triggers as '优先' establishes a language-priority policy without explicit user consent, which can override the user's expected language or cause routing based on language rather than intent. While not directly enabling code execution or data exfiltration, it can lead to misactivation, degraded UX, and potentially problematic handling of regulated financial marketing content in the wrong language context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.