Back to skill

Security audit

Customer Journey Mapper

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only ecommerce journey-mapping skill; its customer-data use is expected for the purpose but needs privacy-aware handling.

Before installing, verify that the platform will not grant purchase or crypto authority based solely on the metadata tags. When using the skill, keep customer data in approved systems, prefer aggregated or anonymized reports, redact personal information from tickets, recordings, surveys, and interview notes, and follow applicable consent, retention, and access-control requirements.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly encourages collection of analytics, feedback, session recordings, support tickets, and customer interviews, all of which can contain personal data or sensitive behavioral information. While this is common in ecommerce analysis, the absence of any guidance on minimization, consent, redaction, access control, or regulatory compliance creates a real privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow step operationalizes broad collection of user behavior and communications data, including session recordings, support tickets, surveys, reviews, and post-purchase information, without any warning about privacy, confidentiality, or lawful basis for processing. This increases the likelihood that users will ingest raw personal data into the analysis process in ways that exceed necessity or violate internal policy or regulation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide explicitly recommends watching session recordings, comparing heatmaps, and documenting form hesitation, which can involve behaviorally sensitive user data. Because it provides operational guidance without any mention of consent, minimization, masking, retention limits, or compliance obligations, it could lead users to collect or review personal data in ways that violate privacy requirements or expose sensitive information.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.