Back to skill

Security audit

AI Adoption Audit

Security checks across malware telemetry and agentic risk

Overview

This is a coherent company AI research skill, with the main caveat that it saves and reuses local report files.

Install if you are comfortable with generated company AI adoption reports being saved locally and reused for up to 7 days. Avoid including confidential strategy, customer details, or sensitive internal notes unless local workspace retention is acceptable, and delete the output folder when you no longer want stored reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill defines persistent local storage, cache reuse, and historical retention for generated company reports, but presents itself primarily as a research/reporting tool rather than a data-persisting workflow. This creates an unintended data handling behavior: user queries and generated outputs may be written to disk and reused later without explicit consent, which can expose sensitive business research, create stale-report risks, and broaden the attack surface via local artifact accumulation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to archive reports and maintain history in local storage without warning the user that their inputs and generated reports will be written to disk. Even if the content is based on public information, the user's target list, research focus, and generated assessments may be sensitive, and silent persistence violates user expectations and privacy-by-default principles.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.