Back to skill

Security audit

Salesmate

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a Salesmate CRM helper with expected API access, but users should be careful with write or delete actions because its trigger wording is broad.

Install only if you intend your agent to access Salesmate. Use least-privilege API credentials where possible, review any proposed create/update/delete CRM action before it runs, and avoid using the skill for vague Salesmate mentions unless you actually want CRM data accessed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description is explicitly broad: it instructs the agent to use this skill for ANY Salesmate request and instead of calling the API directly. That can cause over-invocation on loosely related prompts mentioning Salesmate, increasing the chance of unintended reads or writes through this connector, especially because the skill supports state-changing and destructive actions.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.