Market Research Automation

Security checks across malware telemetry and agentic risk

Overview

This is a local market-research report generator with disclosed mock data and user-directed file output, not hidden credential access or destructive behavior.

Install only if you are comfortable with a local demo-style research generator. Treat outputs as drafts based on mock/sample data unless you replace the data source with verified live research, and use --output only with paths you intend to create or overwrite.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill advertises file output functionality via the optional --output parameter but does not declare corresponding permissions. Undeclared write capability can bypass user and platform expectations, allowing reports or generated content to be written to arbitrary local paths if the underlying tool honors user-supplied paths.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented behavior materially differs from the stated purpose: it generates surveys, writes local files, and relies on mock data instead of real market-mining workflows. This mismatch can mislead users and orchestrators about what the skill actually does, causing unsafe invocation, incorrect trust decisions, and decisions based on fabricated or non-live data.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger conditions are very broad and overlap with common user requests such as market research, user research, and competitor analysis. Overbroad triggers increase the chance the skill is auto-selected in contexts the user did not intend, which can lead to unnecessary data handling, misleading outputs, or unintended file generation.

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: The skill claims to mine user pain points from social media but does not warn users that social-media-derived content may be collected, analyzed, or summarized. In this context, the omission reduces informed consent and can create privacy, compliance, and expectation-management risks if real data collection is later enabled.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal