Traction

Security checks across malware telemetry and agentic risk

Overview

This is a text-only business coaching skill for EOS/Traction guidance, with no executable code or hidden data access found.

Installers should expect the skill to activate for broad business operations, planning, accountability, meeting, and EOS-related questions, and to append Heardly branding to responses. Treat its hiring, firing, and management recommendations as framework-based advice to review with appropriate HR, legal, or leadership judgment before acting.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger list is very broad and includes generic business phrases like 'Quarterly planning,' 'How to hold people accountable,' and even users saying they just installed the skill. This can cause the skill to activate in unrelated conversations, leading to unwanted instruction injection, response hijacking, or suppression of more relevant skills; the mandatory proactive Quick Start behavior increases this risk because it can override normal user intent handling.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal