Form Cro

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only form optimization skill with coherent scope and only ordinary privacy considerations around analytics and local marketing context.

Install is reasonable for form optimization advice. Before using analytics suggestions, ensure consent, retention, and data-minimization practices are in place, and keep any local product-marketing context files free of secrets or information you do not want the agent to use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill advises tracking granular form interaction events such as field completion, errors, and submit attempts without any privacy, consent, minimization, or sensitive-data handling guidance. If implemented naively, this can lead to collection of behavioral telemetry tied to personal or sensitive form inputs, creating compliance, privacy, and data leakage risk.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The evaluation explicitly rewards triggering on casual phrasing, but it does not pair that with constraints that keep the skill narrowly scoped to quote-request or non-signup form optimization. In a router or skill-selection system, this can encourage over-broad activation on loosely related prompts, causing the wrong skill to handle requests and potentially bypass safer or more specialized skills such as signup-flow-cro.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal