Security audit

Moments GEO skills

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a legitimate GEO/AIEO marketing workflow, but it asks for broad browser, file-writing, screenshot, and business-data handling authority without enough user control or privacy safeguards.

Install only if you expect this skill to create persistent client deliverables and run AI-platform tests. Before using it, set a workspace-relative output directory, disable or confirm automatic file writes, review screenshots before saving, avoid using personal authenticated AI sessions, and provide analytics or CRM data only after deciding what can be stored in reports.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (22)

Description-Behavior Mismatch

Low

Confidence: 94% confidence
Finding: Hardcoding an absolute local filesystem path can cause outputs to be written to an unintended user-specific location, potentially exposing local directory structure and enabling unsafe file operations when consumed by an agent with filesystem access. In a skill context, this becomes more dangerous because downstream automation may blindly trust the template and attempt to save files outside an approved workspace.

Description-Behavior Mismatch

Low

Confidence: 88% confidence
Finding: The front matter says outputs are saved to the relative `03_contents/` directory, but later instructions direct writes to a specific absolute local path. This inconsistency can cause unintended writes outside the expected workspace boundary, especially if the runtime has access to that path, and makes operator review harder because the effective write target is ambiguous.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The reference file is broadly about social media optimization, while the skill is explicitly scoped to GEO and AI visibility operations. This mismatch can cause the agent to act outside its declared domain, leading to capability drift, irrelevant recommendations, and unsafe overreach into adjacent marketing functions that users did not request.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The tooling and workflow guidance expands into social media management, influencer discovery, UGC curation, and rights management, none of which are justified by the stated GEO mission. In an agentic setting, this can mislead the system into recommending or attempting actions involving unrelated operational domains, increasing the risk of unauthorized, low-quality, or misleading outputs.

Vague Triggers

High

Confidence: 92% confidence
Finding: The trigger text is extremely broad, activating on almost any mention of AI visibility, GEO, AEO, content optimization, or brand appearance in AI answers, including cases where the user may only be discussing the topic generally. Overbroad auto-invocation can cause the agent to enter a high-action workflow prematurely, increasing the chance of unnecessary file reads, tool use, web research, or generation of authoritative-looking business recommendations without clear user intent.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The description contains very broad trigger phrases such as general SEO optimization, content creation, social media marketing, and content strategy, which can cause the skill to be invoked for many ordinary marketing requests beyond its intended scope. In an agentic system, overbroad routing increases the chance of inappropriate tool/skill selection, leading to irrelevant actions, confusion, or unsafe execution paths when a narrower or safer skill should have handled the request.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs automatic creation and saving of diagnostic reports and question-library files to a working directory without requiring explicit user confirmation or providing a notice that files will be written. In an agent context, silent persistence can surprise users, overwrite existing work, or store sensitive business inputs locally without informed consent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The workflow directs the agent to capture and save screenshots of third-party AI platform interactions to disk without a user-facing warning. Screenshots can contain prompts, brand data, account state, or other sensitive content, so silent capture and retention increases privacy and data-handling risk.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The frontmatter description says the skill should auto-trigger on broad terms like 产品定位, 品牌定位, and 定位分析, which are common business phrases outside this skill's intended GEO/AIEO scope. That can cause unintended activation in unrelated conversations, leading the agent to perform web research, browser automation, and file-writing actions the user did not clearly request.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger keyword list is ambiguous and lacks scope constraints, so ordinary requests about positioning or strategy could invoke the skill even when the user is not asking for AI visibility work. Because this skill has access to filesystem, shell, web search, and browser tools, mistaken activation materially increases the chance of unauthorized actions or data creation.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill description promises that analysis reports are automatically saved, but it does not tell the user up front that invoking the skill will create or modify local files. Silent persistence is risky because users may believe they are only getting analysis in-chat while the skill writes potentially sensitive business information to disk.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The output section mandates saving files to a fixed absolute local directory, creating a direct side effect on the host filesystem without any user approval step. In practice, this can overwrite expectations about where data lives, expose sensitive client names in filenames, and make accidental writes more likely when the skill is triggered unintentionally.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The auto-invocation description is extremely broad and covers generic requests like content creation, publishing strategy, and optimization-related phrasing. That increases the chance the skill triggers in contexts the user did not intend, causing unexpected tool use, file access, web access, or content generation under this skill's authority.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The listed trigger keywords are short, common, and context-free, with no exclusions or disambiguation rules. This makes accidental invocation likely for ordinary content tasks, which can expose local files and cause the agent to perform unnecessary writes or web lookups beyond user expectations.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill is designed to save generated outputs to disk, but it does not clearly tell the user that invocation may create or overwrite files. In an agent setting with write capability, silent filesystem modification is risky because the user may believe they are only requesting analysis or drafting, not authorizing persistent changes.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: These instructions explicitly direct writing to a local directory, including a concrete path and naming convention, but provide no warning or safety controls around filesystem modification. In practice this can lead to unreviewed persistence of generated content, accidental overwrites, or writes to sensitive host locations if the environment permits it.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill description says it should auto-trigger on broad phrases like '效果监控' and similar generic monitoring terms, which can overlap with ordinary user requests unrelated to this GEO/AIEO workflow. Over-broad routing can cause the agent to invoke a high-privilege skill unexpectedly, leading to unnecessary file access, web activity, or collection of business data outside the user's actual intent.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The explicit trigger keyword list includes generic phrases such as 'AI监控', '效果监控', and '监控报告' without scope constraints, which increases the chance of accidental or manipulated invocation. In this skill, accidental invocation is more concerning because the allowed tools include web search, browser automation, file read/write, and screenshots, so a routing mistake can produce external actions and persistent artifacts.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The workflow directs the agent to gather website traffic, search trends, and conversion-related business metrics, but does not require user notice, consent, or minimization guidance before handling potentially sensitive analytics data. This creates a privacy and governance risk: users may not realize the skill will process internal business performance data, and the resulting report could persist sensitive information to disk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The Playwright automation section instructs the agent to visit external AI platforms, submit prompts, capture responses, and save screenshots, but it does not require advance notice that external network requests and evidence retention will occur. This can expose brand queries, competitive research terms, or other sensitive inputs to third-party services and create retained screenshots containing confidential data.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The guide instructs users to automate access to multiple AI platforms, some requiring login, then capture responses and screenshots without any privacy or data-handling safeguards. This can lead to unintended collection of account-linked content, chat history, personal data, or other sensitive information exposed in authenticated sessions, especially because the skill context explicitly encourages repeated monitoring across services.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The document directs users to save screenshots and record answer contents with standardized filenames and report artifacts, but it omits any requirement to redact sensitive information, secure storage locations, or set retention and deletion policies. In a workflow that archives evidence from logged-in AI platforms, this increases the risk of persistent storage and wider exposure of personal, confidential, or account-specific data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.