Security audit

QSR Weekly P&L Storyteller

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill creates weekly restaurant KPI narratives and keeps a disclosed running archive for trend comparisons, with privacy considerations but no hidden code or external data flow.

Before installing, decide whether you are comfortable storing restaurant financial and operational metrics in the agent's memory. Use anonymized or minimum-needed numbers where possible, and review your agent platform's memory controls so you can delete old reports or avoid long-term retention if the data is confidential.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly directs the agent to build a running archive of weekly business reports containing operational and financial data, but provides no guidance on retention limits, user consent, access controls, or privacy handling. Even though the data is business rather than highly sensitive personal data, persistent storage of sales, labor, food cost, and related metrics can expose confidential commercial information if retained longer than necessary or surfaced in other contexts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal