Back to skill

Security audit

Lead Discovery

Security checks across malware telemetry and agentic risk

Overview

This lead-generation skill is coherent, but it can automatically collect contact details, store research, and create CRM records on a schedule without enough scope or control details.

Review before installing. Only use this with CRM and memory workspaces you are comfortable letting an agent modify, and configure a manual approval step before CRM writes or outreach queues. Confirm what contact data may legally be collected in your target markets, how long Supermemory notes are retained, and how scheduled runs can be paused or audited.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly extracts and stores personal/business contact data such as email, phone, and WhatsApp details into CRM and Supermemory, but provides no notice, consent basis, retention limits, or data-handling controls. In a lead-generation context, this creates privacy/compliance risk and increases the chance of unauthorized collection, over-retention, or inappropriate downstream outreach using scraped personal data.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.