Financial Private Equity

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned for deal sourcing, but it may access Gmail and Slack communications for financial outreach without clear opt-in or privacy scoping.

Install only if you are comfortable with the agent using private email and Slack context for deal work. Before use, explicitly limit which accounts, channels, threads, time windows, and contacts may be searched, and require human review before any outreach is drafted or sent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The deal-sourcing workflow explicitly instructs the agent to search Gmail and Slack for prior correspondence and internal discussion, then use that context to support outreach, but it does not require clear user confirmation, scope limitation, or privacy warnings before accessing potentially sensitive communications. In a financial/private-equity context, those data sources can contain confidential deal discussions, MNPI, and personal communications, so silent or assumed access creates a meaningful privacy and confidentiality risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal