Back to skill

Security audit

AI商家搜索优化

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only local marketing skill; its main risk is that it helps publish business contact details publicly.

Install only if you are comfortable using the business name, full address, and phone number in public marketing articles. Confirm the details are business-only, accurate, and authorized for publication, review every generated article before posting, and do not rely on the skill as a guarantee of AI-search placement.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly collects business name, full address, and phone number, then instructs the agent to embed that contact data into generated articles for publication. Even if the data is business-related rather than personal, it is still sensitive contact information and the skill provides no user-facing privacy notice, consent checkpoint, minimization rule, or warning about broad republication across third-party media. In this context, the workflow is specifically designed for mass dissemination, which increases the chance of unwanted exposure, doxxing of sole proprietors/home-based businesses, or publication of inaccurate contact data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.