Back to skill

Security audit

Cart Abandonment Analyzer

Security checks across malware telemetry and agentic risk

Overview

This is a marketing planning skill for abandoned-cart recovery; it does not run code or access accounts, but users should apply privacy and consent checks before using its outreach templates.

Install only if you need ecommerce cart-recovery planning. Before using any generated email, SMS, or push sequence, confirm recipients have the required channel consent, honor unsubscribes and suppression lists, respect quiet hours and local laws, minimize customer data, and review campaigns before launch. The metadata’s crypto/wallet/purchase/credential tags appear unrelated to the actual Markdown skill content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly recommends SMS and push outreach strategies, cadence, and examples but does not include any warning or guardrails about consent, opt-in requirements, suppression rules for channel eligibility, or jurisdiction-specific compliance obligations beyond a brief mention of 'compliant opt-in' in a table. This omission could lead users to deploy unsolicited marketing messages or misuse personal/contact data, creating privacy, regulatory, and trust risks.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The checklist explicitly promotes collecting user ID, cart contents, product categories, device type, traffic source, and customer history for abandoned-cart tracking, but it does not pair that guidance with data minimization, notice, lawful basis, retention limits, or consent considerations where required. In a marketing automation skill, this omission can normalize unnecessary profiling and non-compliant behavioral tracking, creating privacy, regulatory, and trust risks even though the content is not directly executing code.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The template operationalizes cart-recovery outreach across email, SMS, and push, including timing, segmentation, and suppression rules, but it does not require any explicit consent, lawful basis, or channel-permission checks before sending. In a marketing automation context, this omission can lead users to design and deploy non-compliant customer outreach, especially for SMS/push where opt-in and quiet-hour requirements are legally sensitive.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.