Back to skill

Security audit

Unboxing Experience

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only ecommerce packaging guidance skill; its UGC and tracking advice needs privacy care but is disclosed and purpose-aligned.

Before using this for a real campaign, add clear consent language for uploads and social posts, disclose QR tracking and incentives, obtain permission before repurposing customer content, honor platform rules, and define opt-out, deletion, retention, and moderation processes. Also review the overbroad metadata capability tags during installation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly tells users to monitor, curate, and repurpose user-generated content and to route users through tracked landing pages, but it does not mention consent, privacy notices, platform rules, or lawful handling of personal data. This creates a realistic risk of collecting and reusing customer content or social data without adequate permission, disclosure, or retention controls, exposing operators to privacy, compliance, and reputational harm.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.