Back to skill

Security audit

Product Sourcing Advisor

Security checks across malware telemetry and agentic risk

Overview

This is a Markdown-only sourcing advisor with no executable access, but its supplier scoring uses English-language criteria that users should adjust.

Safe to install as an advisory skill. Before relying on its supplier rankings, adjust communication scoring to focus on response timeliness, clarity in the agreed working language, translation or bilingual support, documentation quality, and escalation reliability. Independently verify suppliers, certifications, landed-cost assumptions, trade rules, payment terms, and legal agreements before placing orders.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
The skill explicitly treats English fluency and response-time norms as positive scoring inputs, which can systematically disadvantage otherwise qualified suppliers based on language and timezone rather than sourcing outcomes. In a procurement workflow, this can embed unjustified bias into recommendations and cause the agent to steer users away from viable suppliers for non-essential reasons.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
The workflow guidance normalizes English as the expected supplier communication language, which can propagate discriminatory assumptions into supplier screening and ranking. Because this skill is intended to automate sourcing recommendations across global regions, the bias is operationalized at scale and may exclude strong suppliers who communicate effectively through translation, local agents, or other languages.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The communication scoring rubric explicitly rewards 'Fluent English (or your language)' and penalizes suppliers with basic English, which can bias supplier selection based on language proficiency rather than operational capability. In a sourcing skill, this can systematically disadvantage qualified suppliers and distort procurement decisions, especially when translation tools or multilingual workflows could mitigate the communication issue.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.