Security audit

Product Marketing Context

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill transparently helps create a reusable product marketing context file, with no code execution, credentials, networking, or hidden behavior found.

Install if you want a shared marketing context document for future marketing tasks. Review the generated .agents/product-marketing-context.md before relying on it, and do not store confidential strategy, customer details, credentials, or private internal notes there unless you are comfortable with other marketing skills reading and reusing them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill description contains many broad trigger phrases such as general marketing and audience-definition terms, which can cause the skill to activate in situations beyond the user's actual intent. That creates a prompt-scope risk: an agent may inappropriately enter a workflow that inspects the repo and prepares to write persistent context files, leading to unnecessary data access or unintended actions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill directs the agent to create and save `.agents/product-marketing-context.md` and potentially move an older file, but it does not require an explicit user confirmation immediately before modifying workspace files. In ambiguous or auto-invoked contexts, this can result in unintended persistent file creation or migration, especially because the skill also encourages broad repo inspection and auto-drafting.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The eval explicitly expects the skill to trigger on casual, underspecified phrasing like 'create a product context doc for my app,' which broadens activation boundaries and can cause the skill to run when the user may have intended a different workflow. In an agent ecosystem, overly broad routing can lead to incorrect file creation or context-gathering actions, especially because this skill writes shared state used by other marketing skills.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.