Ai Lead Generator Skill

Security checks across malware telemetry and agentic risk

Overview

The skill does not show malware behavior, but its advertised lead-generation and compliance claims are broader than the code supports and involve personal contact data without enough privacy guidance.

Review before installing. Treat this as a local sample-data generator, not a validated Apollo or LinkedIn lead-generation tool, and do not provide LinkedIn, Apollo, CRM, or other credentials unless a future version clearly documents official authorization, scopes, privacy compliance, and user controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill clearly promotes collecting, validating, exporting, and operationalizing personal business contact data, including direct email addresses and phone numbers, but does not warn users about privacy, consent, jurisdictional restrictions, or misuse risks. In a lead-generation context, this omission can enable non-compliant harvesting and outreach workflows, increasing the likelihood of privacy violations, spam, and regulatory exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal