Back to skill

Security audit

Community Builder

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only community-building guide with no executable behavior, but users should apply privacy, consent, and platform-rule guardrails when using its engagement and analytics advice.

Install this as a planning guide, not a compliance checklist. Before applying it, disclose moderation and analytics practices, avoid unnecessary personal or sensitive data collection, get permission before reusing member content or sending private outreach, and confirm that tracking, automations, and customer-data comparisons comply with applicable platform rules and privacy laws.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill directs operators to track member activity, retention, support deflection, and CLV differences between community members and non-members, which implies collection and linkage of behavioral and purchase data. Because it provides no guidance on notice, consent, data minimization, or compliance with privacy laws and platform terms, users could implement invasive or non-compliant monitoring of customers.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill recommends screening joiners with membership questions and using automated keyword monitoring for violations, including competitor mentions, without discussing fairness, transparency, or platform-policy constraints. This can lead to opaque profiling, over-collection of personal information, biased access decisions, or improper monitoring practices in branded communities.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The playbook explicitly instructs operators to DM every new member, but provides no guardrails around consent, platform rules, privacy expectations, frequency limits, or disclosure that the outreach is brand-initiated. At scale, this can become spammy or manipulative outreach, create privacy/trust issues, and expose the community operator to complaints or enforcement under platform anti-spam and messaging policies.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.