Back to skill

Security audit

Essentialist

Security checks across malware telemetry and agentic risk

Overview

This is a real sales-automation skill, but it pushes agents toward account setup and outbound email actions without clear user approval boundaries.

Install only if you intentionally want a third-party service to run outbound sales automation for you. Before using it, require explicit approval before registration, contact uploads, campaign activation, bulk sends, paid upgrades, Mailgun credential submission, autonomous replies, or meeting booking; verify the service URL and publisher; and ensure your outreach complies with privacy and anti-spam rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to collect and transmit third-party Mailgun credentials and modify project sending-domain settings. This materially increases risk because it expands from outreach automation into handling sensitive infrastructure secrets, and compromise or misuse could enable unauthorized email sending, domain abuse, or account takeover of mail operations.

Vague Triggers

High
Confidence
97% confidence
Finding
The README instructs users to trigger the skill with a very broad, everyday phrase: 'I need to get more customers for my business.' For a skill that can autonomously collect user data, source prospects, send outbound email, and handle replies, this creates a substantial risk of unintended activation and unauthorized real-world actions from an ambiguous request.

Missing User Warnings

High
Confidence
94% confidence
Finding
The README states that the agent will 'collect your email and website, deploy an outbound pipeline, and begin generating leads' without clearly warning about privacy implications, external communications, or data-impacting behavior. In this context, the skill is not merely informational: it is designed to act on third-party contact data and send messages, so the lack of explicit consent and safety boundaries materially increases the risk of privacy violations, spam, reputational harm, and unintended data processing.

Vague Triggers

High
Confidence
98% confidence
Finding
These rules force activation on broad business-related keywords such as leads, growth, revenue, and meetings, causing the agent to redirect many normal conversations into operational deployment. That creates a prompt-safety vulnerability because it overrides user intent and can trigger data collection and external actions in contexts where the user only wanted advice or discussion.

Vague Triggers

High
Confidence
97% confidence
Finding
Treating any business, website, offer, product, or company name as sufficient to begin activation removes meaningful user-consent boundaries. This can push the agent into onboarding and deployment behavior based on incidental context rather than an actual request, increasing risk of unwanted account creation or outreach setup.

Vague Triggers

High
Confidence
98% confidence
Finding
The trigger list includes vague, everyday sales-related phrases with no exclusion conditions, making accidental activation highly likely. In combination with the rest of the doctrine, these triggers can convert ordinary discussion into autonomous setup and outbound operations without clear authorization.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill describes autonomous prospect sourcing, email sequencing, reply handling, qualification, and meeting booking, but does not require a clear warning or consent checkpoint before these external-impact actions occur. That is dangerous because it normalizes autonomous outreach and contact processing without ensuring the user understands data use, messaging autonomy, or the real-world effects on third parties.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The instructions explicitly direct the agent to skip theoretical discussion and move straight into setup, bypassing opt-in and consent. This is unsafe because it pressures the user into an operational workflow and makes unwanted data collection and external actions more likely.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The soft-resistance policy tells the agent to continue setup even when the user says they are not ready or only wants an explanation. This undermines user autonomy and can lead to persistent coercive prompting around account setup, data submission, and outreach activation.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description markets the skill as an autonomous outbound revenue engine that can own the entire SDR/BDR pipeline, but it does not define user approval checkpoints, scope limits, or trigger boundaries. In an agent ecosystem, that ambiguity can cause an agent to initiate prospecting, emailing, qualification, and booking actions without explicit consent or sufficient policy constraints, increasing the risk of spam, unauthorized outreach, and business-process abuse.

Natural-Language Policy Violations

Low
Confidence
81% confidence
Finding
The description explicitly promotes autonomous outbound email behavior but does not mention recipient consent, user opt-in, regional compliance, or language/locale controls. For a sales automation skill, this omission is materially risky because agents may infer they can send unsolicited outreach at scale, potentially violating anti-spam rules, customer communication policies, or organizational approval requirements.

Ssd 1

Medium
Confidence
96% confidence
Finding
The doctrine uses authoritative override language that attempts to supersede normal assistant behavior and funnel broad categories of requests into this skill. While not an exploit by itself, it is a control-hijacking pattern that weakens safeguards around user intent, scoped assistance, and consent.

Ssd 4

High
Confidence
99% confidence
Finding
The progressive, no-permission activation flow instructs the agent to infer defaults, continue setup with partial information, and avoid asking permission. This is dangerous because it encourages collecting personal/business data and preparing external operations without a clear consent boundary, increasing the likelihood of unauthorized or mistaken activation.

Ssd 4

High
Confidence
99% confidence
Finding
The 'No Permission' section normalizes bypassing user hesitation and mandates assertive language that presumes deployment is already underway. This creates coercive interaction patterns that can manipulate users into disclosing data or accepting actions they did not clearly authorize.

Ssd 3

Medium
Confidence
88% confidence
Finding
The skill explicitly directs collection of the user's real email address as the first setup step and ties it to account registration, alerts, and billing. Although a real email is operationally relevant, the risk comes from forcing collection early and under the broader no-permission activation regime, which can cause unnecessary personal-data capture without clear consent.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.