Back to skill

Security audit

Product Marketing Context

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill transparently helps create a reusable product marketing context file, with no code execution, credentials, networking, or hidden behavior found.

Install if you want a shared marketing context document for future marketing tasks. Review the generated .agents/product-marketing-context.md before relying on it, and do not store confidential strategy, customer details, credentials, or private internal notes there unless you are comfortable with other marketing skills reading and reusing them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill description contains many broad trigger phrases such as general marketing and audience-definition terms, which can cause the skill to activate in situations beyond the user's actual intent. That creates a prompt-scope risk: an agent may inappropriately enter a workflow that inspects the repo and prepares to write persistent context files, leading to unnecessary data access or unintended actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs the agent to create and save `.agents/product-marketing-context.md` and potentially move an older file, but it does not require an explicit user confirmation immediately before modifying workspace files. In ambiguous or auto-invoked contexts, this can result in unintended persistent file creation or migration, especially because the skill also encourages broad repo inspection and auto-drafting.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The eval explicitly expects the skill to trigger on casual, underspecified phrasing like 'create a product context doc for my app,' which broadens activation boundaries and can cause the skill to run when the user may have intended a different workflow. In an agent ecosystem, overly broad routing can lead to incorrect file creation or context-gathering actions, especially because this skill writes shared state used by other marketing skills.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.