Back to skill

Security audit

Geo Metrics Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a planning and template skill for GEO metrics dashboards and alerts, with no evidence of hidden data access or autonomous monitoring behavior.

Install this if you want a planning aid for GEO metrics monitoring. Review generated schemas, alert thresholds, dashboard plans, and any suggested integrations before connecting them to real business systems, APIs, notification channels, or sensitive logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
70% confidence
Finding
Without declared permissions the skill's intent is opaque and cannot be validated.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
This is a clear mismatch because the declared purpose describes an operational monitoring and alerting system for GEO metrics, while the actual code only builds a default list of metrics and emits a markdown table plus example schema. The code does not collect data, monitor anything over time, visualize metrics, detect spikes/drops, or trigger alerts. Its primary purpose is documentation/template generation, which is materially different from the described real-time monitoring orchestrator.

Vague Triggers

Medium
Confidence
95% confidence
Finding
This markdown file is in scope for vague-trigger review. The instruction to 'not limit triggering only to the exact keywords above' and to trigger whenever the intent is designing or improving ongoing GEO tracking removes clear boundaries and relies on subjective interpretation, which can cause unintended activation for loosely related analytics requests.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.