Back to skill

Security audit

Jackyshen Customer Jounery Map

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward journey-map rendering skill that may create local export files, with no evidence of hidden access, persistence, exfiltration, or destructive behavior.

Install this if you want an agent helper for generating local journey-map deliverables. Before use, be aware it may create or overwrite journey_map.svg, journey_map.png, and journey_map.pdf in the workspace, and PNG/PDF export may invoke Playwright/Chromium; specify filenames, language, and output formats if you need tighter control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The invocation text is very broad ('whenever you want to visualize customer journeys, employee experiences, or service blueprints'), which can cause the skill to trigger in many ordinary planning, analysis, or diagramming contexts without clear user intent. Over-broad activation increases the chance the agent performs file generation or tool-driven rendering unexpectedly, especially when paired with mandatory export behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to 'Always produce' three files, which creates implicit workspace write side effects without notifying the user or checking consent. In agent environments, silent multi-file writes can surprise users, overwrite artifacts, or be chained with broad invocation to create unintended changes.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The export pipeline requires Playwright/Chromium rendering but does not warn that browser-based tooling or subprocess-like execution may occur. While this is common for rendering, lack of disclosure reduces informed consent and may lead to unexpected tool use, resource consumption, or policy issues in restricted environments.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.