Security audit

Conversion Waterfall

Security checks across malware telemetry and agentic risk

Overview

This is a simple funnel-analysis prompt with no code, credentials, persistence, or system access requested.

Safe to install as a lightweight analysis skill. Use normal care with confidential business metrics or customer data, and consider narrowing the trigger phrases if accidental activation would be annoying in your workflow.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger list uses very generic terms like "conversion," "funnel," and "customer journey," which can match many unrelated user requests and cause the skill to activate unexpectedly. While this is not directly a code execution issue, unintended invocation can route users into the wrong analysis flow, producing misleading business output or exposing data to an unnecessary skill path.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal