Back to skill

Security audit

Client Manager

Security checks across malware telemetry and agentic risk

Overview

This appears to be a local CRM rather than malware, but it handles sensitive client and financial data with overly broad triggers and an under-disclosed chat button interface.

Review before installing. This skill is not showing artifact-backed malware or network exfiltration, but it will store sensitive client and financial records locally and may activate on ordinary words. Install only if you are comfortable with plain local JSON storage, broad read/write/exec access for the CRM directory, and the possibility of CRM data appearing in the active chat interface.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill explicitly introduces a platform messaging UI capability via a `message` tool with Telegram-style buttons, despite framing itself as a purely local CRM with no messaging/platform integration. This mismatch expands the interaction surface and could cause user actions or data displays to occur in external chat contexts, undermining the local-only trust model promised elsewhere in the file.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The documentation promises the skill does not access Telegram, messaging APIs, or external platforms, but later sections instruct the agent to implement Telegram-style button interactions. This is a direct contradiction in the declared security boundary, which can mislead users and reviewers about where client data may be rendered or processed.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Using a generic phrase like "good morning" as a trigger can activate the skill during ordinary conversation, causing unintended access to persistent local CRM data and proactive summaries. In a skill that stores invoices, earnings, clients, and reminders, accidental activation can expose sensitive business information when the user was only greeting the assistant.

Vague Triggers

High
Confidence
96% confidence
Finding
The skill registers highly generic triggers like "invoice," "paid," "log," "time," "tax," and "help," which can collide with unrelated user intents and cause the CRM skill to take over unexpectedly. Because the skill can read and write persistent local records, ambiguous invocation increases the risk of accidental disclosure, unwanted state changes, or confusing execution in the wrong context.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal