Challenger Thesis

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only research framework for single-company competitive analysis, with no hidden code, persistence, credentials, or install-time behavior.

Install this if you want a structured company research workflow. Treat outputs as research support rather than investment advice, verify cited sources yourself, and use a more specific prompt when you only want a quick company overview instead of a full deep-dive analysis.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger rules are overly broad and include common phrasings like asking to analyze a company or whether a business can be disrupted. This can cause the skill to activate outside its intended scope, leading the agent to perform deep single-company investment-style research when the user may have intended a lighter or different workflow, increasing the risk of misrouting, unnecessary data access, and over-collection.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The template tells users to send a prompt that will 'directly trigger' the skill, but it does not define strong activation boundaries beyond a few examples. In an agent environment, broad trigger phrasing can cause over-invocation on adjacent requests, leading the skill to run when the user did not intend deep single-company research or when another safer/more appropriate workflow should have been selected.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal