Google Trends Rising

Security checks across malware telemetry and agentic risk

Overview

This appears to be a Google Trends-oriented skill with some overbroad examples and a non-core feedback endpoint, but the supplied evidence does not show hidden execution, credential use, persistence, destructive behavior, or automatic data exfiltration.

Install only if you want an agent to use Google Trends-style external lookups for popularity questions. Avoid sending personal, confidential, or business-sensitive details through any feedback feature unless the skill clearly asks for consent and explains what will be sent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The file documents a separate feedback submission endpoint that is unrelated to the core Google Trends retrieval function, creating an unnecessary secondary data flow to an external service. In an agent-skill context, this increases the chance that user content or interaction details are transmitted off-platform without clear user consent or a strict purpose limitation.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The activation description is broad enough to trigger on generic requests about trends, popularity, or hot topics even when the user did not ask for Google Trends specifically. Over-broad triggering can cause the wrong tool to activate, leading to unintended data access, irrelevant external API calls, and skill hijacking of unrelated user intents.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The example phrases include everyday expressions like 'What's trending right now' and 'What topics are popular this week,' which are ambiguous and not safely constrained to Google Trends. In a multi-skill environment, such examples materially increase accidental activation and can divert user requests to this skill when another tool or a clarification step would be more appropriate.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The Feedback API instructs posting free-form content that may include user statements, intentions, and outcome descriptions to an external endpoint, but provides no privacy notice, consent requirement, or data-minimization guidance. In an agent setting, such text can easily contain personal, confidential, or sensitive operational information, making this an external data disclosure risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal