Client Intake Bot Pro

Security checks across malware telemetry and agentic risk

Overview

This is a plain markdown client-intake workflow with disclosed lead capture and follow-up behavior, but users should configure privacy, consent, and integration limits carefully.

Before installing, decide what lead data you actually need, disclose how it will be stored and shared, require opt-in before newsletters or SMS/email nurture, avoid collecting sensitive files unless necessary, and use limited-permission integration accounts with human review for important outbound messages.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill is designed to collect and route prospect information across forms, chat, CRM, email, calendar, and SMS integrations, but it provides no guidance on consent, minimization, retention, or secure handling of personal/business data. In practice this encourages users to deploy a lead-processing workflow that may expose sensitive prospect details to multiple third-party systems without adequate notice or controls.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal