Back to skill

Security audit

Agency Client Reporting

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-only agency reporting kit with no executable code or hidden data access, but users should avoid pasting confidential client data into unapproved AI tools.

Install/use is reasonable as a prompt-only skill. Before using it, confirm you are authorized to provide the client information, redact unnecessary client identifiers or sensitive commercial details, use an approved AI provider for confidential data, and carefully review generated reports for accuracy, confidentiality, and truthful ROI or urgency claims before sending them to clients.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly tells users to paste client data into an external AI tool but provides no warning about confidentiality, data minimization, or whether the tool/provider retains prompts. In an agency context, that client data may include business metrics, account performance, churn indicators, strategy details, or other sensitive commercial information, creating a realistic risk of unauthorized disclosure or policy noncompliance.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill is designed to process client reporting, health scores, budgets, contract terms, and renewal proposals, which are likely to contain sensitive business and relationship data. Omitting any warning or handling guidance increases the chance that users paste confidential client information into the skill without considering minimization, consent, storage, or redaction requirements.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document includes an internal-only client health assessment with sensitive relationship, churn-risk, payment reliability, and expansion-strategy notes, but it is not clearly labeled or segregated as confidential internal material. If this content is accidentally shared with the client or exposed through the skill, it could damage trust, reveal negotiating posture, and disclose internal business judgments the client was not meant to see.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.