Back to skill

Security audit

company-research-intelligence-agent

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a legitimate Explorium API client, but it needs review because it handles API keys, sends user queries to a third-party service, exports research data locally, and includes person/contact enrichment beyond simple company lookup.

Install only if you are comfortable using Explorium for company and prospect research, including potential personal contact enrichment. Treat the API key as sensitive, avoid copying real keys from terminal output into logs or screenshots, and review exports before saving or sharing them because they may contain business intelligence or personal contact data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill invokes shell commands, reads and writes local files, accesses environment variables, and makes remote API calls, yet it declares no permissions or user-facing consent boundaries. This creates a trust and sandboxing problem: users and hosting platforms cannot accurately assess or restrict what the skill can do before execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented purpose is company research, but the skill also supports prospect/person discovery, arbitrary business and prospect querying, event retrieval, CSV utilities, and local credential configuration. This mismatch can mislead users into authorizing broader data collection and local side effects than expected, increasing privacy and misuse risk.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill writes gathered research data to a CSV in the user's Downloads directory without making disk persistence and data sensitivity prominent at the point of use. This can expose business intelligence, contact data, or due-diligence material to other local users, backup systems, or unintended sharing workflows.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill expands from company research into executive and senior-contact discovery, which materially changes the data sensitivity and privacy profile of the workflow. Users may not expect person-level search and profiling under a company-research skill, and the feature can facilitate targeted intelligence gathering.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The CLI exposes broad business and prospecting operations, including prospect/person workflows, while the skill is presented as company research and due diligence. This scope mismatch is dangerous because users or downstream agents may invoke data collection and enrichment capabilities they did not expect, leading to privacy, consent, and policy violations beyond the advertised use case.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code includes prospect enrichment endpoints and contact/profile operations that go beyond company intelligence into individual/person data handling. In the context of a company research skill, that hidden capability increases the risk of unauthorized personal data processing, especially if an orchestrating agent assumes only company-level information is in scope.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The setup script prompts for an API key and persists it locally even though the skill is an unofficial community plugin, which increases the trust burden and the risk of credential theft if the installed CLI is later modified or is not trustworthy. In addition, the script later encourages handling the same secret in ways that can expose it, so collecting and storing the key during setup is more dangerous than necessary.

Description-Behavior Mismatch

Low
Confidence
88% confidence
Finding
The script states that setup only installs the CLI and optionally saves an API key, but it also executes the newly installed Python program during the smoke test. Running installed code during setup expands the attack surface because any malicious or unexpected behavior in the CLI executes immediately, contrary to the user's documented expectation.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The documented trigger phrases are very broad, natural-language prompts such as 'tell me about', 'what do you know about', and 'analyze this company'. In agent environments that auto-route skills based on trigger matching, these phrases can cause the plugin to activate during ordinary conversation, leading to unintended company-data lookups and unnecessary transmission of user queries to the external API.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Broad triggers such as 'tell me about' and 'what do you know about' are likely to activate the skill during ordinary conversation, potentially causing unintended API calls, data transmission, or workflow execution. Accidental invocation is especially risky here because the skill performs remote queries and can write files.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The instructions include exporting data to local disk but do not pair that action with a clear warning about persistence, file location, or sensitivity. Silent or poorly disclosed writes increase the chance of unintentional data retention and local exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The tool writes fetched or enriched data to any user-supplied CSV path without warning, retention controls, or minimization, which can persist potentially sensitive company or personal data outside transient storage. This increases exposure through accidental sharing, insecure directories, backups, or later unauthorized access on multi-user systems.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly advertises enrichment of prospects with personal email, direct phone, and mobile phone data, but provides no privacy, consent, lawful-basis, or handling restrictions. In a company research and due-diligence skill, this materially increases the risk that users will collect and use personal contact data for profiling, outreach, or surveillance in ways that violate privacy expectations or applicable regulations.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script prints a shell export command containing the user-supplied API key directly to terminal output. This can leak the secret into terminal scrollback, logs, screenshots, shell history if copied, or remote session recordings, creating an unnecessary credential exposure path.

Ssd 3

Medium
Confidence
93% confidence
Finding
The optional request_context can include the user's full query text and send it to the external API, which may contain confidential business intent, target lists, or sensitive investigative context. Because this metadata leaves the local environment and is associated with server-side grouping, it creates a meaningful privacy and data governance risk if used without explicit informed consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.