Engineering As Marketing

Security checks across malware telemetry and agentic risk

Overview

This skill is an outreach and lead-pipeline assistant with expected local lead storage and optional email automation, and I found no artifact-backed evidence of hidden exfiltration or destructive behavior.

Install only if you want an agent to manage sales leads and outreach. Review the generated config, keep credentials in environment variables, avoid enabling SMTP auto-send or cron until you are comfortable with the limits, and ensure your outreach complies with email and privacy laws.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The manifest description contains many broad activation phrases such as 'free tool', 'calculator', 'widget', and 'free app' that can match routine product, marketing, or software brainstorming conversations. This can cause the skill to activate outside its intended niche, steering users into lead-generation advice when they did not request it and increasing the chance of irrelevant or manipulative workflow hijacking.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal