Back to skill

Security audit

PM — AI Product Manager Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is not executable or overtly malicious, but it asks an AI PM to broadly monitor workplace systems and keep sensitive people and business records without clear limits.

Install only if you want a PM-style operating system for workplace context and can keep it tightly scoped. Limit any connected tools to specific approved repositories, channels, docs, and dashboards; require human confirmation before scans, outreach, or document updates; and do not store sensitive personal judgments about coworkers unless your organization has explicit privacy, access, retention, and deletion rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Intent-Code Divergence

High
Confidence
89% confidence
Finding
The file says the AI cannot send messages on behalf of the team, yet later instructs it to proactively reach out and send messages daily. That contradiction can cause users to assume the agent is performing outbound communications when it is not, or encourage unauthorized messaging behavior if connected tools become available, creating governance, privacy, and accountability risks.

Intent-Code Divergence

High
Confidence
89% confidence
Finding
The file says the AI cannot send messages on behalf of the team, yet later instructs it to proactively reach out and send messages daily. That contradiction can cause users to assume the agent is performing outbound communications when it is not, or encourage unauthorized messaging behavior if connected tools become available, creating governance, privacy, and accountability risks.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The skill expands from interactive PM assistance into maintaining a living people registry and structured long-term knowledge base, which implies collection and retention of personal and organizational data beyond the stated role. Without clear boundaries, minimization rules, retention limits, or consent expectations, this can lead to unnecessary accumulation of sensitive employee, stakeholder, and business information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file instructs the PM to build and continuously maintain a registry of named individuals containing personal preferences, concerns, sensitivities, and relationship status. That is sensitive workplace profiling data, and the guidance provides no limits on necessity, confidentiality, consent, retention, or access control, creating a real privacy and misuse risk if adopted operationally.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Fields like "Known sensitivities" and "Current top concern" encourage recording subjective, potentially sensitive personal inferences about coworkers. In the context of a PM skill, this is more dangerous because it normalizes routine collection of interpersonal intelligence for broad operational use, which can expose employees to bias, retaliation, or unauthorized disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.