Zero to One Startup

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate startup-advisor skill, but it needs Review because its web/server features can expose or retain sensitive business-plan data in under-disclosed ways.

Install only if you are comfortable with a local web server, external LLM/provider calls, and local/browser persistence of startup-plan content. Keep the server bound to localhost unless you add authentication, TLS, and firewall controls; do not embed the widget on production sites until message rendering is sanitized; avoid uploading confidential PDFs unless you have chosen and trust the configured LLM/SaaS/Supabase destinations; and periodically clear localStorage/history/profile data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain

Findings (32)

Tainted flow: 'OLLAMA_URL' from os.environ.get (line 69, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: def _ollama_available() -> bool: """Ollama 서버 응답 여부 확인 (3초 타임아웃).""" try: urllib.request.urlopen(f"{OLLAMA_URL}/api/tags", timeout=3) return True except Exception: return False
Confidence: 88% confidence
Finding: urllib.request.urlopen(f"{OLLAMA_URL}/api/tags", timeout=3)

Tainted flow: 'OLLAMA_URL' from os.environ.get (line 69, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: def _ollama_available() -> bool: """Ollama 서버 응답 여부 확인 (3초 타임아웃).""" try: urllib.request.urlopen(f"{OLLAMA_URL}/api/tags", timeout=3) # nosec B310 return True except Exception: return False
Confidence: 93% confidence
Finding: urllib.request.urlopen(f"{OLLAMA_URL}/api/tags", timeout=3) # nosec B310

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The prompt-injection filtering block appears mis-indented relative to the surrounding try/except structure, so the documented sanitization may not execute as intended before user input is forwarded to track classification, RAG, or LLM components. This creates a mismatch between claimed protections and actual behavior, increasing the chance that adversarial user input can influence downstream model behavior or bypass expected safeguards.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The widget persists full conversation contents to localStorage, including potentially sensitive startup plans and responses derived from uploaded PDFs. localStorage is readable by any script running on the same origin and persists indefinitely, so a same-origin XSS, shared device access, or browser compromise could expose confidential business information without user awareness.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The widget renders both user-controlled content and backend API responses via innerHTML without sanitization. In an embeddable widget, this creates a DOM XSS risk against any host page that includes the script, and the risk is amplified because the API base URL is configurable via a data attribute, allowing untrusted or compromised endpoints to return arbitrary HTML/JS payloads.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The feedback endpoint allows non-local requests through when no API key is supplied, despite the comment claiming external requests require validation. This enables unauthenticated parties to submit arbitrary feedback, pollute analytics, trigger background network writes, and potentially abuse downstream storage or SaaS ingestion paths.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The widget saves full chat transcripts into browser localStorage, including business-plan text and responses derived from uploaded PDFs. localStorage is long-lived, readable by any script running on the same origin, and offers no built-in confidentiality, so sensitive founder or company information can be exposed to other site code, browser extensions, or shared-device users.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The widget inserts both user-controlled display text and server-controlled response content with innerHTML. Because d.result/d.response is only lightly transformed with regex and not sanitized, a malicious or compromised API response can inject arbitrary HTML and potentially script-capable payloads into the host page, leading to DOM XSS in the embedding site’s origin.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README advertises persistent history logging and local feedback storage for a tool that processes business plans, evaluations, and investor-facing materials, but it does not prominently warn that these artifacts may contain sensitive startup IP, financial data, or personal information and may be written to disk by default. In this context, silent persistence increases the chance of unintended local disclosure, backup leakage, or multi-user workstation exposure even if there is no direct remote exploit.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README exposes a REST API, CORS support, and web-callable endpoints that accept business-plan content, but it does not clearly warn users that sensitive startup data may be transmitted to a local server, browser-connected frontend, or external AI backend when configured. Because the skill handles confidential plans and funding materials, missing privacy and deployment guidance can lead users to expose proprietary data over insecure or unintended network paths.

Vague Triggers

Medium

Confidence: 76% confidence
Finding: The invocation examples use very broad natural-language triggers such as common founder requests without clear boundaries for when the skill should or should not activate. In practice this can cause accidental handling of sensitive business plans or startup data in contexts where the user did not intend this skill to process or transmit them.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation recommends multiple external LLM/API providers and local-to-remote fallback behavior but does not clearly warn that uploaded business plans, startup ideas, and financial information may be transmitted to third-party services. This is especially risky because such documents often contain confidential fundraising, product, and team information.

Missing User Warnings

Medium

Confidence: 77% confidence
Finding: The reset command overwrites the persisted profile immediately with default data and provides no confirmation, backup, or undo path. If triggered accidentally by a user or wrapper script, this can cause irreversible loss of local progress and badges, though the impact is limited to gamification state.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The reranker sends the user's query and previews of retrieved documents to an external LLM via `_raon_chat(...)` without any in-file notice, consent flow, or data-minimization guard. If the corpus contains sensitive startup plans, funding data, or proprietary business information, this can leak user and document content to third-party providers during normal search operations.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Embedding generation delegates to `_raon_embed(text)`, which may send ingested documents and user search queries to external embedding services. Because this file processes startup-related content, users may unknowingly transmit confidential business documents, financial details, or internal program data to external vendors.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The feedback pipeline forwards user comments plus cached evaluation context, including portions of input text and model output, to external SaaS or Supabase destinations without an explicit consent gate at submission time. In this skill's context, users may submit sensitive business-plan content, so silent onward transmission can expose confidential startup information to third parties and create privacy/compliance risk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The extractor sends up to 3000 characters of raw notice text to an external LLM via `chat(prompt_to_messages(extract_prompt))` without any visible notice, consent flow, or data-classification guard. If users supply unpublished grant materials, internal notes, or personal/company data embedded in the text, this can cause unintended third-party disclosure and privacy/compliance issues; the startup/funding context increases likelihood that sensitive business information is processed.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The embed guide explicitly supports sending business-plan text and base64-encoded PDF content to remote API endpoints, but it does not document any notice, consent, retention, or privacy expectations for users. Because this skill targets startup founders who may upload confidential business plans, financial materials, or investor-sensitive documents, the omission increases the risk of unintended disclosure and non-compliant handling of sensitive data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The widget converts uploaded PDFs to base64 and sends them to the backend for processing, but the interface does not clearly disclose that document contents will leave the browser. Because users may upload business plans, financials, or proprietary data, silent transmission increases the risk of unintentional sensitive-data disclosure.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Persisting conversation history in localStorage without disclosure creates a privacy and confidentiality risk, especially in a startup-advisory context where messages may contain business secrets. Users are not informed that transcripts remain stored on the device across sessions and may be exposed to other local users or scripts on the same origin.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The widget transmits user-entered business-plan text and attached PDF contents to a remote API with no in-product notice, consent, or disclosure at the point of submission. Given the skill’s business context, users may upload confidential startup plans, financials, or investor-sensitive materials, creating privacy, compliance, and data-handling risk if the endpoint is third-party, misconfigured, or intercepted.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The widget collects free-form business-plan text and optionally a full PDF, converts the file to base64, and sends both to a backend API with no visible notice, consent step, or disclosure about where sensitive startup data is transmitted. In this skill context, the data is likely to contain confidential business, funding, and financial information, which makes silent transmission materially more risky than a generic chat widget.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This file makes repeated external LLM calls using raw user queries and, in some paths, startup_profile and retrieved context, but there is no consent flow, minimization, masking, or user-visible disclosure that sensitive business data may be sent to third-party model providers. In a startup-advisor skill, prompts can contain confidential fundraising, eligibility, or strategic information, so silent transmission increases privacy, confidentiality, and compliance risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The reset command overwrites the persisted profile immediately with default data and does so without confirmation, backup, or warning. If this CLI is triggered accidentally or exposed through automation, users can lose profile history, scores, badges, and progress irreversibly.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The rerank function sends the raw user query plus previews of retrieved documents to an external LLM via _raon_chat() without any consent gate, redaction, provider allowlist, or clear disclosure. In a RAG pipeline, both queries and retrieved text can contain sensitive business, funding, or internal startup data, so this creates an unintended data exfiltration path to third-party model providers.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal