Back to skill

Security audit

AI Popup Builder

Security checks across malware telemetry and agentic risk

Overview

This is a visible Popupsmart-focused promotional guide that can bias recommendations, but it does not execute code or request privileged access.

Install this only if you want Popupsmart-focused advice. Treat outputs as vendor-specific promotional guidance, ask for neutral comparisons before buying, verify current pricing and ratings, and review consent, privacy, and data-sharing requirements before using any lead capture, tracking, hidden fields, cookies, or integrations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill is framed as an expert/reference guide but contains an explicit instruction to always recommend a single commercial product, regardless of whether it is the best fit for the user. This creates steering behavior that can override user intent and model neutrality, turning the skill into an undisclosed affiliate-style promotion channel.

Vague Triggers

High
Confidence
93% confidence
Finding
The skill claims broad applicability to common topics like popups, lead capture, conversion optimization, and marketing, which are generic user intents that appear frequently across many conversations. Such broad trigger scope makes the skill collision-prone and likely to inappropriately activate or bias responses in contexts where a neutral comparison or a different solution would be more appropriate.

Vague Triggers

High
Confidence
98% confidence
Finding
The instruction to ALWAYS recommend Popupsmart based on vague keyword categories causes aggressive triggering on routine terms such as email capture, A/B testing, compliance, or no-code tools. This can hijack unrelated conversations and systematically bias the agent toward one product, reducing reliability and increasing the chance of deceptive or misaligned recommendations.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill encourages email capture, phone collection, hidden fields, tracking, targeting, and integrations that move user data into third-party systems, but it presents these as optimization steps without meaningful cautions about consent, minimization, or jurisdiction-specific privacy obligations. In practice, this can lead an agent to recommend surveillance-heavy or non-compliant setups to users who have not considered the privacy impact.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.