Back to skill

Security audit

Gingiris Growth Finder

Security checks across malware telemetry and agentic risk

Overview

This is a text-only growth-strategy router whose main risk is broad activation, not hidden or harmful behavior.

Install this if you want a broad Gingiris growth-playbook router. Be aware it may be selected for many marketing, launch, or growth questions, so users who prefer only specialist skills may want narrower routing or manual invocation. Review and install the related Gingiris playbooks only if you trust and need that ecosystem.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata advertises very broad auto-triggering on almost any growth-related question, but the later usage guidance says it should only be used as a meta-router when the user does not know which specialist to pick. This inconsistency can cause the router to intercept requests that should go directly to specialist skills, leading to misrouting, unnecessary prompt capture, and degraded agent behavior.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The file contains conflicting invocation rules: the top-level description says to use this skill whenever the user asks how to grow or launch something, while the when_to_use section says not to trigger when a specialist skill is already clearly applicable. Contradictory activation guidance is dangerous because agents may invoke the wrong skill path unpredictably, reducing reliability and potentially suppressing more appropriate controls or expertise in downstream skills.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The README explicitly states the skill is auto-invoked on broad categories like any growth question and lists many generic triggers such as marketing strategy, GTM, and product launch. In an agent runtime, such broad routing can cause the skill to activate in situations where the user did not intend to invoke a third-party marketing playbook, increasing prompt-surface exposure and the chance of inappropriate routing or instruction interference.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The auto-trigger list includes highly generic phrases such as 'how to grow,' 'marketing strategy,' 'go to market,' and 'user acquisition,' which are common in ordinary conversation and likely to collide with unrelated contexts. Overbroad triggers increase unsolicited activation, causing prompt hijacking at the orchestration layer and making the agent less predictable or controllable.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The trigger block repeats many vague, high-collision terms across languages without scope constraints, further increasing the chance that normal user text will activate this meta-skill unexpectedly. Because this skill is a router, accidental activation can redirect or overshadow specialist workflows and create cascading misclassification of user intent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.