Back to skill

Security audit

Convbox DTC Marketing Skills — ROAS Diagnosis & Attribution Analytics

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent read-only marketing analytics assistant, but its setup guidance asks users to place a live API key in chat and it stores business context for reuse, so it belongs in Review before installation.

Install only if you can configure CONVBOX_API_KEY through a trusted secret store or environment variable; avoid pasting the live key into chat history. Expect the skill to make read-only Convbox API calls, optionally query Meta/Google passthrough data through Convbox, and save store profile or threshold settings for future sessions. Review or clear memory.md when business benchmarks should not persist, and treat budget or campaign recommendations as manual decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill uses sensitive capabilities (environment variables, file reads, and network access) but does not declare permissions or clearly constrain their use. That reduces transparency and policy enforcement, making it easier for the skill to access secrets, local files, or remote endpoints in ways reviewers and users may not expect.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The public description frames the skill as a marketing analytics assistant, but the instructions also enable configuration validation, endpoint probing, schema checking, and health-check style diagnostics. That hidden operational behavior expands the trust boundary and could be abused to enumerate internal API behavior or perform unintended connectivity checks beyond what a user would reasonably infer from the description.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The document says the skill does not call tools or other skills, yet later instructs it to invoke a utility skill. This contradiction undermines security assumptions and reviewability, because downstream execution paths may gain additional capabilities or data access that the top-level policy claims are not used.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The plan explicitly instructs writing shop-level threshold settings to persistent memory, even though the skill is framed as an analytics/diagnosis tool rather than a profile-management feature. Persisting user-provided business preferences without a clear consent and retention boundary can create unintended data storage, cross-session data leakage, and stale or misapplied baselines that affect future analyses.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide repeatedly instructs users to paste a live Convbox API key directly into AI chat prompts, while the strongest warning about conversation retention appears later and is not presented as a hard stop. This creates a credible secret-exposure path because chat logs may be retained by the agent platform, administrators, model providers, or plugins, and users are being encouraged to transmit credentials through that channel.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The intent examples include very broad phrases such as 'anything wrong with my campaigns' and 'what's off today', which can cause the skill to be selected for vague user requests that may not actually seek campaign anomaly analysis. In a routing-based agent system, overly broad triggers increase the chance of mis-invocation, causing unintended access to marketing analytics context and potentially misleading recommendations based on the wrong workflow.

Vague Triggers

Medium
Confidence
74% confidence
Finding
The invocation examples are broad enough to match ordinary conversational requests such as 'how did last week look' or 'is our growth okay,' which can cause the skill to activate when the user did not clearly intend this specific analysis flow. Unintended routing can trigger unnecessary data access, unexpected queries, or disclosure of business metrics in contexts where the user expected a lighter-weight response.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The plan instructs persistent storage of thresholds but does not require a user-facing warning or consent flow before saving them. This is dangerous because users may not realize business performance baselines are being retained across sessions, creating privacy, governance, and trust issues, especially if the stored values influence future recommendations automatically.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger examples are broad enough to match many generic analytics requests, which can cause this plan to be selected when a more appropriate or narrower skill should handle the task. In a multi-plan agent, that increases the risk of misrouting, over-collection of data, and incorrect diagnostic conclusions that may influence business decisions.

Unbounded Output

Medium
Category
Output Handling
Content
1. **Load memory → summarize as session context.** Check for the store-profile memory (`memory.md`). If it exists, read it and briefly summarize it back to the user as the working context: business background (store URL, primary category, main objective), benchmarks (gross margin, target / breakeven ROAS, budget cap), and preferences (attribution model, report language, work role). Keep this to a few lines. If no memory exists, treat it as first-time setup and go to step 2.

2. **Confirm default configuration.** Ask the user to confirm the two defaults that drive everything downstream, showing what is currently on file (or "not set" for a first session):
   - **Work role** — defaults to **General** (all results, no trimming); or one of Founder / Marketing Director / CRM / Site Ops / Creative Strategist / Media Buyer.
   - **Store info** — store URL, primary category, main business objective, and benchmarks.

   Ask "Is this still correct?" If anything is wrong or missing, guide the user to fill in / correct it, then **write the updated profile back to memory** for reuse (see Section 2 for the field list and write rules).
Confidence
74% confidence
Finding
no trimming

Unbounded Output

Medium
Category
Output Handling
Content
## 4. Capability Scope

1. **Acquire store background and business needs**: Onboarding inquiry or memory read to build / update the store profile (objectives, benchmarks, role).
2. **Per-role daily / weekly / monthly reports**: For General (all results) / Founder / Marketing Director / CRM / Site Ops / Creative Strategist / Media Buyer, trimming "must-read / optional" content per the `functions.md` role focus list. General presents all results with no trimming.
3. **Themed daily / weekly / monthly reports**: Produce themed reports across the 10 analysis suites (Growth Command Center, Performance Marketing Copilot, Creative Intelligence Suite, Site Conversion Diagnostic Suite, Retention & Lifecycle Engine, Campaign Review & Promotion Quality Suite, Attribution & Budget Allocation Suite, Profit Protection Dashboard, Market Expansion Diagnostic Suite, Data Quality & Tracking Governance).
4. **Custom-window report for a single analysis theme**: For any atomic scenario, produce a dedicated report over a user-supplied custom date range.
Confidence
71% confidence
Finding
no trimming

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
access.yaml:9