Back to skill

Security audit

product-expert-review

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only product review skill whose browsing, screenshot analysis, competitor research, and optional Feishu sharing are disclosed and aligned with its purpose.

Install this if you want structured product or UX review reports. Avoid using confidential screenshots, internal product URLs, or proprietary analysis unless you are comfortable with the agent researching them, and only use the Feishu document option when external sharing of the final report is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill description is broad enough to match many generic requests about evaluating products, reviews, UX, comparisons, and reports, which can cause over-invocation outside the user's precise intent. This is dangerous because an overly eager skill may trigger web browsing, screenshot analysis, or document-delivery behaviors in contexts where the user only wanted lightweight advice, increasing privacy and tool-use risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs uploading the full report to a Feishu doc when the user wants sharing or when the task 'requires delivery', but it does not require a clear warning that report contents will be transmitted to a third-party service. This can lead to unintended exfiltration of potentially sensitive analysis, URLs, screenshots-derived content, or business information to Feishu without informed user consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.