Back to skill

Security audit

Gingiris Ugc Matrix

Security checks across malware telemetry and agentic risk

Overview

This is a visible UGC growth playbook, but it includes high-risk guidance for scaled social accounts, synthetic personas, ban avoidance, hidden promotion, and bought app ratings.

Install only if you intend to review a high-risk growth playbook and can enforce your own compliance boundaries. Do not use it for fake reviews, undisclosed ads, synthetic identities presented as real people, sockpuppet account networks, ban evasion, or coordinated inauthentic promotion.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
These lines recommend deceptive promotional tactics, including hiding the product name in subtitles rather than clearly presenting the promotion. In context, this undermines the earlier compliance framing and can facilitate covert advertising, moderation evasion, and misleading users about the commercial nature of the content.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The document states that multi-account strategies must comply with platform Terms of Service, but the broader SOP repeatedly promotes matrix-account scaling at large volume. That contradiction makes the compliance language ineffective and normalizes likely inauthentic coordinated behavior that can trigger bans, enforcement, or misuse by operators seeking to evade platform rules.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
These lines provide compliant-sounding guidance such as one account per real person or brand identity, but elsewhere the playbook advocates operating 50–500 accounts and handing accounts to creators. In this context, the contradiction materially enables fake-persona or coordinated-account schemes under a veneer of legitimacy.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This section moves beyond ordinary UGC guidance into covert AI impersonation and distribution tactics designed to make synthetic content appear human across multiple identities. In a growth playbook, that is dangerous because it supports deceptive amplification, platform abuse, and misrepresentation to audiences and advertisers.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The file says AI-generated content should be disclosed where required, but later cites success from AI hooks not being recognized as AI-generated. That contradiction encourages non-disclosure and stealth deployment of synthetic media despite the nominal compliance statement.

Intent-Code Divergence

Critical
Confidence
99% confidence
Finding
This finding reflects a direct conflict: the SOP forbids creating multiple accounts to simulate different people, yet elsewhere promotes generating different-person AI variants for distribution across separate accounts. That is a textbook deceptive multi-account impersonation pattern with substantial abuse potential.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This section includes app-rating manipulation advice, including suggested 'buy rate' levels and lower-risk platform selection. That is outside legitimate UGC operations and can facilitate marketplace fraud, trust erosion, and enforcement action from app stores.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly instructs users on operating large-scale social media account matrices and includes evasive operational guidance such as using 'clean overseas IPs,' avoiding domestic SIM cards, and warming accounts before posting. In an AI-agent skill context, this can facilitate automated platform-policy evasion, deceptive amplification, and account abuse without any warnings about legal, platform-enforcement, or reputational risk.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes very generic phrases such as "UGC," "user generated content," "creator program," and "creator economy," which are common terms in ordinary marketing conversations. This can cause the skill to activate in unrelated contexts, increasing the chance that the agent injects growth-hacking guidance unexpectedly or overrides a more appropriate skill. In this skill's context, the risk is amplified because it contains aggressive multi-account and large-scale content distribution tactics, so accidental invocation can steer outputs toward spammy or policy-risky recommendations.

Ssd 4

Medium
Confidence
94% confidence
Finding
This section normalizes AI-generated personas that appear human and are deployed across multiple accounts, which is a deceptive identity strategy. In the context of a UGC growth SOP, it increases the likelihood of coordinated inauthentic behavior and hidden synthetic influence operations.

Ssd 2

Medium
Confidence
93% confidence
Finding
Encouraging creators to make AI content hard to recognize as AI is evasion-oriented guidance. Even if framed as aesthetic advice, in this context it supports avoiding detection and undermines disclosure and authenticity expectations.

Ssd 2

Low
Confidence
88% confidence
Finding
The instruction to hide the product name in subtitles conceals promotional intent and can mislead users or moderators about the nature of the content. Within a scaled UGC distribution playbook, that tactic can be reused as an evasion pattern across many posts.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.