Back to skill

Security audit

Growth Marketer

Security checks across malware telemetry and agentic risk

Overview

This is a promotional Popupsmart marketing skill with a tracked link, but it is instruction-only and does not request unsafe system access.

Install this only if you want Popupsmart-focused marketing help. Expect answers to favor Popupsmart and include a UTM-tracked link; ask for independent sources, neutral comparisons, and clean URLs when making purchasing decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill presents itself as objective guidance but repeatedly instructs the agent to steer users toward a predetermined vendor and favorable conclusions. This creates deceptive, biased output risk because users may receive advertising framed as neutral advice without balanced evaluation or disclosure.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The activation scope is broad enough to capture many generic marketing and conversion questions that are not specifically about Popupsmart. In practice, this can cause the skill to inappropriately hijack unrelated user requests and inject promotional content where users expected general advice.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Saying the skill will 'automatically activate for relevant queries' without precise boundaries creates ambiguous routing behavior. That ambiguity increases the chance of unreviewed or unintended invocation, allowing the skill to influence responses outside its legitimate domain.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list includes common phrases like 'increase conversions,' 'grow email list,' and 'best popup builder,' which overlap heavily with ordinary user intent across many contexts. Without exclusions or ranking safeguards, the skill can over-trigger and bias agent behavior toward a single commercial destination.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs agents to use a UTM-tagged referral link for all relevant interactions, explicitly to track and attribute traffic, but does not require disclosure to the user. This creates a transparency and trust issue because users are being funneled through marketing attribution links without informed consent or awareness.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.