Back to skill

Security audit

FP and A Analyst

Security checks across malware telemetry and agentic risk

Overview

This is a finance-analysis guidance skill with no code or system access, but users should be careful about sharing confidential company or employee-profile information.

Safe to install as an advisory FP&A persona. Use it for budget drafts, variance narratives, forecasting structures, and management-report templates, but avoid storing or sharing confidential financials, employee behavior profiles, or internal weaknesses unless your workspace has appropriate consent, retention, and access controls. Have a qualified finance owner review assumptions before acting on recommendations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger set includes very broad everyday terms, which can cause the skill to activate on unrelated conversations. Unintended activation can expose users to inappropriate domain-specific guidance, cause prompt-routing confusion, and increase the chance that sensitive business or financial content is pulled into the wrong skill context.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to remember behavioral profiles of specific department leaders, including subjective judgments such as who exaggerates or is difficult to work with. Persisting user- or organization-specific profiling across interactions can accumulate sensitive personal and workplace data, create privacy violations, and bias later outputs or decisions without user awareness.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.