Back to skill

Security audit

Pop-Up Shop Planner

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only pop-up retail planning skill; it is coherent and not executable, but users should add their own privacy and legal checks before collecting customer contact data or running follow-up marketing.

Safe to install as a planning aid. Before acting on its recommendations, keep spending, venue booking, ad buys, customer data collection, email/SMS outreach, and retargeting under explicit human review, and apply applicable privacy, marketing, tax, permit, and insurance requirements.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill repeatedly directs operators to capture customer email/SMS data at POS and use it for later follow-up, but it does not mention notice, consent, opt-in requirements, retention limits, or compliance obligations. In a retail marketing context, this can lead users to collect and activate personal data in ways that violate privacy laws, platform rules, or customer expectations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The post-event plan recommends retargeting ads and segmented follow-up to visitors captured during the pop-up, but gives no warning that these activities may require prior consent, transparent disclosure, and lawful audience-building practices. This omission is risky because the skill operationalizes marketing use of in-person collected data and behavior signals without guardrails, increasing the chance of unlawful or deceptive targeting.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.