Back to skill

Security audit

Nox Influencer - Creator Discovery & Influencer Marketing

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed NoxInfluencer CLI wrapper for creator discovery and marketing operations, with sensitive actions gated by approval.

Install this only if you intend to let Codex operate your NoxInfluencer account through the official CLI. Be aware it may use a locally stored API key, retrieve visible creator contacts when explicitly requested, create exports, and modify NoxInfluencer campaigns, CRM, email/message tasks, products, short links, and brand-monitor records after approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The top-level description is very broad and covers discovery, evaluation, contact retrieval, outreach operations, CRM, exports, brand monitoring, and account setup. In an agentic system, such wide routing language can cause the skill to activate for many loosely related marketing requests, increasing the chance of unnecessary tool use, access to sensitive creator/contact data, or execution of state-changing workflows when a narrower skill would be more appropriate.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The 'When to Use' section uses broad criteria like finding, evaluating, or contacting creators and handling campaign/CRM/email operations without strong gating conditions. Because this skill can retrieve contacts, perform outreach-related actions, and mutate operational state, overbroad activation logic raises the risk of the agent invoking it on ambiguous requests and exposing sensitive data or initiating privileged workflows prematurely.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.