Back to skill

Security audit

Insurance Digital Live

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-only insurance live-streaming sales assistant with disclosed compliance and lead-generation guidance, but users should apply regulated-sales and privacy controls.

Install only for licensed or supervised insurance marketing workflows. Do not use it as a substitute for compliance review, investment advice, underwriting, claims decisions, or collection of sensitive customer information without clear consent and approved data-handling procedures.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The appendix states the skill is not for investment advice, but nearby sections explicitly include market event interpretation, investment opportunity messaging, and product recommendation workflows. That contradiction can mislead users into relying on the skill for regulated financial guidance while believing it is safely out of scope, increasing compliance, consumer harm, and mis-selling risk.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger set is broad enough to activate on generic insurance, marketing, and advisory contexts without clear user-intent or role constraints. In a skill that generates sales, compliance, and conversion scripts, overbroad invocation raises the chance of the assistant being used in inappropriate contexts, including unreviewed solicitation or regulated communications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill includes explicit lead-capture and off-platform migration flows to comments, private messages, enterprise chat, and groups, but the description and safeguards do not clearly disclose privacy, consent, retention, and data-handling risks. In an insurance context, this can facilitate collection of sensitive personal and health-related information without adequate notice or controls, creating significant privacy and regulatory exposure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.