Back to skill

Security audit

customer-success-manager

Security checks across malware telemetry and agentic risk

Overview

This customer-success skill is instruction-only and on-topic, but it asks for broad customer and business data access without clear authorization or approval boundaries.

Install only if users can keep it limited to customer data they are authorized to access. Before connecting CRM, support, analytics, billing, contract, or communication tools, require explicit approval for customer outreach, pricing or contract changes, automation changes, and any use of sensitive account metrics.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to query customer context and review customer health, usage, and feedback data without any visible consent, minimization, or warning that sensitive customer information may be accessed. In a customer-success context, this can expose account, behavioral, contractual, or support-related data to users who may not realize the skill will retrieve and process such information.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.