Keyword Research

Security checks across malware telemetry and agentic risk

Overview

This keyword research skill is coherent and purpose-aligned, with disclosed local profile storage and no evidence of hidden sharing or destructive behavior.

Install only if you are comfortable with the agent using logged-in SEO tools in your browser and saving per-site business context locally. Review or delete the saved domain profile files if you do not want that information retained, and keep browser automation limited to the intended account and tab.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Low

Confidence: 94% confidence
Finding: The skill persists per-domain business profiles, including URL, business description, region, language, competitors, and tool-access status, to local disk across sessions. That behavior expands the skill from transient keyword analysis into ongoing data retention, which creates privacy and data-governance risk if users are not clearly informed or given consent/control over storage.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to store site and tool-account data in a local profile without any user-facing notice at collection time. Silent persistence of potentially sensitive business and account-status information increases privacy risk and can surprise users who expected a one-off analysis.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal