Inventory Waste Optimizer

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for inventory optimization, but it includes automated ordering and purchase-order authority without clear approval limits.

Review carefully before installing. Use recommendation-only or dry-run mode first, connect only dedicated least-privilege Google Sheets, verify the ThumbGate npm package before running the npx command, and do not allow PO creation or supply purchases unless every order requires explicit human approval with clear budget, vendor, and item limits.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This is a markdown file, so SQP-2 applies to missing user warnings in documentation. Line 6 instructs users to connect the agent to sales and inventory spreadsheets, which could expose sensitive operational data, but the guide provides no caution about data access, permissions, or privacy implications.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal