DataMerge

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a normal DataMerge integration for B2B enrichment and lead workflows, with privacy considerations because it can retrieve business contact details.

Install this only if you intend to use DataMerge for B2B enrichment. Before requesting contact emails or phone numbers, make sure your use complies with privacy, consent, anti-spam, and workplace data policies, and review any list changes before the agent writes them to your DataMerge account.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly supports retrieval of validated business contact emails and mobile phone numbers, but the description does not warn users that it handles personal data or that such data may carry privacy, consent, and compliance obligations. In a lead-generation context, this omission can cause users or downstream agents to collect and use personal contact information without adequate notice, purpose limitation, or safeguards.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal