Back to skill

Security audit

Win-Back Campaign

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only marketing skill that is coherent with its stated win-back campaign purpose, though users should apply privacy controls before using customer data for ad targeting.

Before using this skill, confirm your privacy notice, consent or lawful basis, opt-out handling, and platform terms allow behavioral personalization and customer-list advertising. Minimize uploaded customer fields, suppress users who opted out of marketing or targeted ads, and involve legal/privacy review for regulated regions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly recommends using browse history, last-purchased products, predicted preferences, SMS, and paid-ad retargeting to personalize outreach, but it does not require a user-facing transparency notice, lawful basis checks beyond limited channel-specific consent notes, or privacy disclosures for cross-channel profiling. In a marketing automation skill, this omission can lead operators to deploy behavioral targeting in ways that violate privacy expectations or regulations, especially where profiling and audience sharing with ad platforms require notice, consent, or opt-out controls.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide directs operators to upload lapsed-customer data to Meta custom audiences without any guardrails around lawful basis, consent, privacy notice disclosure, data minimization, or platform terms. In a marketing automation skill, that omission is materially risky because teams may operationalize customer-list sharing in ways that violate privacy law, internal policy, or customer expectations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Recommending Google Customer Match uploads without privacy warnings can lead users to share customer data for ad targeting absent proper disclosure, consent, or regional compliance checks. Because this skill is specifically about re-engagement campaigns across paid ads, the context increases the chance that practitioners will directly implement the advice at scale, amplifying compliance and reputational risk.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.