Security audit

Startup Pitch Deck

Security checks across malware telemetry and agentic risk

Overview

This is an unfinished startup pitch deck skill, but the artifacts show no hidden code, credential use, persistence, network behavior, or destructive capability.

Safe to install from a security standpoint, but treat it as incomplete. Before relying on it, the publisher should replace the TODOs with clear invocation rules, workflow steps, limits, and review guidance, especially for confidential startup plans, financial projections, investor lists, or proprietary strategy.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The skill description is still placeholder text and does not specify when the skill should be invoked, what tasks it is for, or its boundaries. In an agent system, vague or missing invocation conditions can cause the wrong skill to be selected, broaden the context unnecessarily, and increase the chance of unsafe or inappropriate actions being taken under the wrong workflow.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The Overview section is unfinished, leaving the skill's operational scope undefined. This makes the skill ambiguous to both humans and automated agents, increasing the risk of misuse, over-broad interpretation of its capabilities, and accidental application in contexts where stronger constraints or different skills are required.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal