03 Logistics Alert

Security checks across malware telemetry and agentic risk

Overview

This prompt-only logistics skill is mostly coherent, but it can push an agent toward business-impacting order and supplier actions without clear approval controls.

Install only as an advisory report generator. Do not allow it to automatically update order labels, supplier scores, carrier communications, user notifications, or supplier limits without human review, and verify current official logistics and compensation rules before relying on the output.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger section uses broad natural-language conditions such as pasting logistics tracks, describing a package situation, uploading order lists, or asking about standards/rules. This can cause the skill to activate on loosely related inputs, leading to unintended processing of sensitive order, customer, or supplier data and incorrect operational outputs in an internal-control workflow. In this context, over-triggering is more dangerous because the skill influences risk alerts, compensation estimates, and escalation actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal