Prospect Engine

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed sales-prospecting skill, but it uses a specific email account, fixed Telegram alerts, persistent logs, and recurring inbox checks without enough user-controlled boundaries.

Install only if you intentionally want this exact Pretty Busy/Xzenia prospecting workflow. Before use, replace or disable the hard-coded Gmail and Telegram destinations, require explicit approval before any outreach is sent, review what is stored in outreach-queue.md and intake.sqlite3, and opt in deliberately before enabling any recurring inbox-checking cron job.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill directs use of network access (`web_search`, local/public intake URLs, Telegram) and shell execution (`search.sh`, CLI commands) without any declared permission boundary or user-visible constraint. In an autonomous prospecting skill, hidden execution and outbound connectivity materially increase the risk of unreviewed data exfiltration, spam activity, or command misuse.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 86% confidence
Finding: The declared description presents a bounded lead-generation workflow, but the instructions expand into direct search, local script execution, inbox inspection, Telegram alerting, file/database writes, and dynamic public URL insertion. This mismatch can mislead reviewers and users about the actual operational scope, reducing oversight and making risky automation easier to invoke than expected.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The skill is described as autonomous lead generation for recurring cycles, manual searches, outreach drafting, qualification, queueing, and reply escalation, but it lacks clear trigger limits and approval gates for when these actions may run. Broad invocation language in a sales automation context increases the chance of unintended continuous monitoring, excessive prospect collection, or premature outreach-related processing.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs the agent to collect decision-maker emails/contact forms and later inspect inbox messages for prospect replies, but it provides no user-facing warning, consent model, or data-handling guardrails for personal and potentially sensitive communications data. In this context, the combination of contact harvesting and mailbox monitoring creates meaningful privacy, compliance, and misuse risk.

Ssd 3

Medium

Confidence: 89% confidence
Finding: The instruction to 'Log everything' is overly broad in a workflow that handles prospect identities, email addresses, reply status, inbox-derived metadata, and possibly intake links. Indiscriminate logging can accumulate sensitive data in files and databases beyond operational need, increasing exposure if those stores are accessed or reused improperly.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal