Clients

Security checks across malware telemetry and agentic risk

Overview

This is a local client-record organizer that may store sensitive business details on the user's computer, but it shows no hidden code, network transfer, credential use, or destructive behavior.

Install this only if you want the agent to help maintain a persistent local ~/clients/ folder. Approve any creation, edits, or movement of client files, and avoid storing confidential contracts, invoices, contact details, or communications unless you are comfortable keeping them in that local folder.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger conditions are very broad (e.g., any mention of a client or need for context), which can cause the skill to activate in situations the user did not intend. In a skill that handles business records, this increases the chance of unsolicited processing, inappropriate file operations, or exposing client-related context during unrelated conversations.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs creation of a persistent workspace under ~/clients/ without an explicit disclosure or confirmation. Because this workspace is intended to store contacts, communications, invoices, and contracts, silent creation can lead to unintended collection and retention of sensitive business and personal data on the user's machine.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal