Back to skill

Security audit

Insurance Marketing Assistant

Security checks across malware telemetry and agentic risk

Overview

This is a non-executable conversational insurance marketing assistant; its main risk is broad activation and advisory compliance output, not hidden or unsafe behavior.

Install only if you want an assistant for insurance marketing content. Treat its compliance review and regulatory summaries as drafting support, not legal approval, and review all generated materials with your company compliance or legal team before publishing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill states users can access it by 'directly telling me your need' with 'format arbitrary,' which makes invocation effectively open-ended. In an agent environment, this increases the chance the skill is triggered by unrelated natural-language requests and may cause unintended generation of regulated insurance marketing content or compliance advice without clear user intent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The example trigger phrases are generic conversational requests like 'help me write copy' or 'generate a poster,' which overlap with common speech and could match many unrelated conversations. Because this skill produces marketing and compliance-related output in a regulated domain, accidental activation can lead to inappropriate advice, unintended content generation, or processing of sensitive user-supplied business/customer information in the wrong context.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrase set includes broad marketing-oriented terms that can easily overlap with ordinary user requests, increasing the chance the skill is invoked unintentionally. In a conversation skill that can generate marketing content and perform compliance-related actions, accidental activation could expose users to unreviewed outputs or unintended workflow execution.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger at this location is ambiguous in normal conversation and could match everyday usage, causing the skill to activate when the user did not intend to use it. Because this skill targets WeChat and marketing/compliance workflows, unintended invocation may generate or review regulated insurance content in the wrong context.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list as a whole lacks clear scope constraints and contains multiple broad activation terms, which increases the attack surface for accidental or opportunistic invocation. In this skill's context—insurance marketing and compliance assistance for social platforms—overbroad triggering is more dangerous because it can influence regulated messaging and business communications.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.