Trust Signals

Security checks across malware telemetry and agentic risk

Overview

This is a non-executable ecommerce audit skill with mostly advisory guidance and no evidence of hidden data access, persistence, or unsafe automation.

Install only if you want ecommerce trust-signal audit guidance. Keep its recommendations advisory: verify certification, refund, review, and advertising claims before publishing them, obtain clear consent before using customer photos or videos, and do not grant the skill authority to make purchases or change financial/account settings.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Natural-Language Policy Violations

Medium

Confidence: 91% confidence
Finding: Line L030 states that international buyers need 'local language return policies' to convert. This is a natural-language locale requirement presented as a prescriptive rule, but the file does not offer a user choice or clarify that language adaptation should depend on the target market and user preference.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: This markdown file describes UGC collection workflows and customer prompts that involve obtaining customer media. While it mentions explicit written permission for featuring content, it does not clearly warn users about privacy considerations, retention, or the need to avoid using content containing sensitive personal information, which is relevant for a skill describing behavior that can affect user privacy.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal