Dotcom Secrets

Security checks across malware telemetry and agentic risk

Overview

This appears to be a prompt-only business/book companion skill with broad activation language, but no evidence of hidden actions, credential use, persistence, or data exfiltration.

Install this if you want proactive sales-copy or offer-building guidance from the referenced framework. Be aware it may activate too often on general business or conversion discussions, so remove or narrow it if it becomes distracting.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger list is broad and includes many generic business phrases such as wanting better offers, trust, or improved conversions, which can cause the skill to activate in unrelated conversations. In an agent environment, overly broad activation can hijack routing, surface irrelevant guidance, and crowd out more appropriate or safer skills, especially because the file also instructs proactive onboarding behavior.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The statement that the skill will appear whenever it 'senses this book could help' creates an undefined, subjective activation rule that encourages opportunistic invocation beyond clear user intent. Combined with the instruction to proactively present the full Quick Start, this increases the chance of unsolicited responses and misrouting in ordinary conversations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal