Security audit

03 Acquisition Retention

Security checks across malware telemetry and agentic risk

Overview

This is a marketing guidance skill for community group-buying acquisition and retention, with privacy and anti-spam cautions users should apply before real outreach.

Install only for legitimate community-commerce operations. Before using the templates with real customers, confirm consent or another lawful basis, honor opt-outs, maintain suppression lists, limit outreach frequency, follow WeChat/platform and anti-spam rules, and avoid sharing unnecessary customer purchase history or identifiers with the agent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The recall SOP instructs operators to use purchase history, inactivity windows, and direct outreach without any consent, privacy, or lawful-processing guardrails. In this business context, that increases the risk of unauthorized profiling, non-compliant personal-data use, and spammy targeting practices across messaging platforms.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The outreach scripts operationalize private messaging, group invitations, behavioral targeting, and re-engagement messaging but omit safeguards against unsolicited contact, harassment, and misuse of user history. Because the skill is a ready-to-run marketing playbook, the lack of compliance warnings makes harmful or policy-violating execution materially more likely.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal