CreezFinance

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Creez investor Q&A and lead-capture skill, with a privacy caveat around sending provided contact details to Creez for follow-up.

Install only if you are comfortable with Creez-hosted APIs receiving investor questions. Do not provide email, WeChat, company, availability, or other contact details unless you are comfortable having them sent to Creez/the founder for follow-up and potentially stored or forwarded internally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to transmit investor PII (name, email, WeChat, company, message) to a backend/founder once intent criteria are met, but it does not require explicit user consent at the moment of transfer or provide a privacy notice about where the data is sent and for what purpose. In a lead-generation context this is functionally expected, but the lack of a clear disclosure increases privacy and compliance risk because users may believe they are only chatting with the assistant rather than authorizing onward sharing.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal