Popup Cro

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only popup optimization skill with scoped, disclosed behavior and no code, credentials, network calls, or persistence.

Reasonable to install for popup and banner CRO work. Review any `.agents/product-marketing-context.md` or `.claude/product-marketing-context.md` file before use, since the skill may read it for business context; avoid putting secrets or sensitive customer data there.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The eval explicitly rewards the skill for triggering on informal or casual phrasing, but it does not define clear semantic boundaries for when the popup-cro skill should activate. In an agent router, this can cause overbroad matching and inappropriate invocation of persuasive popup guidance in unrelated conversations, increasing the chance of misrouting, reduced reliability, and unsafe application of conversion tactics outside the intended scope.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal