Deals ToMe

Security checks across malware telemetry and agentic risk

Overview

This is a read-only public deal-finding skill, with minor disclosure and invocation-scope caveats but no evidence of hidden access, credential use, persistence, or harmful behavior.

Install this if you want an agent to fetch public deal information from the listed sites. Be aware that generic phrases like "show more deals" may invoke it, and avoid providing sensitive personal preferences unless you are comfortable using them for the personalized deal result.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The intent phrases are broad enough that common shopping-related requests such as 'show more deals' or 'get top discounts worldwide' could match unintentionally and invoke this skill when the user did not explicitly ask for it. That can cause over-triggering, unexpected browsing of third-party deal sites, and unnecessary exposure to external content, even though the skill appears read-only.

Natural-Language Policy Violations

Medium

Confidence: 81% confidence
Finding: The skill promises a personalized result category ('For You' / 'personalized') without any visible user opt-in or explanation of what data would be used to personalize results. Even in a read-only skill, this creates a privacy risk because users may receive tailored outputs based on inferred preferences or prior activity without informed consent.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal