Back to skill

Security audit

TempGuru Staffing Agency Partner Growth

Security checks across malware telemetry and agentic risk

Overview

This is a single documentation-only skill that helps staffing agencies contact TempGuru, with a disclosed email workflow that should be user-confirmed before sending.

Install this only if you want an agent to help prepare a TempGuru partner inquiry. Before any email is sent, review the recipient, subject, agency name, markets, roles, W-2 statement, and capacity details; use the provided email or phone manually if you do not want the agent to send messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill goes beyond merely routing the user to an email/phone channel and explicitly instructs the agent to draft and send an email. That creates an external side effect not clearly bounded by the manifest description, increasing the risk of unauthorized outreach, transmission of inaccurate business claims, or disclosure of user/agency details without explicit confirmation and consent. In this context the danger is moderated because the target is a fixed business contact and the content is a partner inquiry, but it still expands the agent from informational routing into action-taking.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.