Audience Builder

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only advertising audience planning skill, but using it safely requires careful handling of customer data.

Install only if you are prepared to apply your own privacy and approval process. Confirm lawful basis or consent for ad targeting, minimize exported fields, use platform-approved hashing or protected upload flows, secure and delete CSV exports, restrict access, and get human approval before uploading lists, syncing suppression audiences, changing budgets, or launching campaigns.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (9)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs users to export and upload customer match lists to ad platforms but provides no guidance on consent, minimization, retention, or secure handling of first-party customer data. In an advertising skill, this is contextually plausible business guidance, but omitting privacy controls can lead users to process personal data unlawfully or expose customer data through insecure exports and transfers.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Directing users to pull and segment full customer exports by purchase behavior and revenue creates a real privacy and data-governance risk when no safeguards are described. The skill encourages profiling based on transaction history and LTV tiers, which may be legitimate marketing activity, but without instructions on authorization, minimization, and secure processing it can result in unnecessary exposure of sensitive commercial data.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Recommending shared suppression lists across Meta, Google, and TikTok without discussing consent and cross-platform data-sharing implications is a genuine privacy weakness. Cross-platform syncing increases the scope of personal-data disclosure and can create compliance issues if users have not agreed to this use or if the organization lacks proper vendor agreements and transfer controls.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The checklist explicitly calls for exporting customer files containing email, phone, name, and purchase history, which are sensitive personal data elements, but provides no requirements for lawful basis, minimization, consent, access controls, retention, or secure transfer. In a marketing operations skill, this omission can lead users to handle and share PII in ways that violate privacy obligations or expose customer data unnecessarily.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The prospecting section instructs users to create lookalikes and upload Customer Match/custom audiences across Meta, TikTok, and Google, but does not mention that this involves disclosing customer data to third-party ad platforms and may require notice, consent, and contractual controls. Because the skill is specifically designed to operationalize cross-platform audience sharing, the missing safeguards are more dangerous in context than in a generic planning document.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The guide explicitly recommends uploading customer identifiers such as email, phone, names, and address data to ad platforms, but omits any requirement to verify lawful basis, customer consent, platform terms, retention limits, or secure handling. In a marketing operations skill, this creates a realistic risk of privacy-law noncompliance and inappropriate disclosure of personal data to third parties, especially if users treat the document as a complete operational checklist.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The value-based LAL setup instructs users to upload a CSV containing direct identifiers plus lifetime revenue, which increases sensitivity because it combines identity data with financial/customer value information. Without any warning about consent, data minimization, secure transmission, or third-party sharing implications, the guidance can lead users to expose regulated or contractually sensitive customer data during ad-tech onboarding.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The template explicitly calls for customer segmentation, seed readiness assessment, and customer-match style data fields such as email, phone, and MAID, but provides no guardrails around lawful basis, consent, platform policy compliance, or minimization of personal data. In an advertising-audience skill, this omission can cause users to export and upload regulated personal data to third-party ad platforms in ways that create privacy, compliance, and data-sharing risk.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The implementation timeline contains a concrete action to perform customer file segmentation and upload across platforms, which operationalizes external transmission of personal data without any caution about sensitivity, authorization, or governance. Because this is an execution-oriented step rather than a hypothetical example, it materially increases the chance that users will handle customer PII unsafely or in violation of privacy obligations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal