Content Master Pro

Security checks across malware telemetry and agentic risk

Overview

The skill mostly behaves like a content-marketing template pack, but it asks for broad sensitive credentials that are not clearly needed or explained by the active instructions.

Install only if you are comfortable treating it as a drafting and planning assistant, and do not provide Telegram, Google Sheets, GetResponse, Unisender, or other API credentials unless you have separately verified why they are needed. Review generated content before publishing, especially testimonials, customer metrics, medical or mental-health adjacent content, and competitor analysis.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: Advertising scraping-oriented workflows via Apify/PhantomBuster goes beyond ordinary content creation and optimization, and can normalize collection of third-party data through automation without clear safeguards. In an agent setting, this broadens behavior from drafting content into external intelligence-gathering that may create legal, privacy, platform-policy, or abuse risks.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: Advertising scraping-oriented workflows via Apify/PhantomBuster goes beyond ordinary content creation and optimization, and can normalize collection of third-party data through automation without clear safeguards. In an agent setting, this broadens behavior from drafting content into external intelligence-gathering that may create legal, privacy, platform-policy, or abuse risks.

Vague Triggers

Medium

Confidence: 77% confidence
Finding: Very broad triggers such as generic requests to write posts or content plans make accidental invocation plausible during unrelated conversations. If the skill also has undeclared execution or local side effects, accidental activation increases the chance that risky behavior occurs without the user's informed intent.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The English triggers are generic marketing requests with little context constraint, which broadens the activation surface and can cause unintended skill selection. In a skill already showing behavior mismatch and possible local execution capability, overly permissive triggers magnify risk by making surprise activation easier.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The skill states it should run whenever a user asks for content strategy, but it also explicitly says there are no clear trigger commands. That broad activation scope can cause the agent to invoke this skill in loosely related conversations, leading to unintended file access, memory/calendar creation, or content workflow actions without sufficiently specific user intent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The markdown describes reading a local context file but does not clearly warn the user that local files may be accessed or explain the privacy consequences. Lack of transparency undermines informed consent and increases the chance that sensitive internal information is ingested unexpectedly during a routine content-planning workflow.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly mandates use of Arthur's cloned voice without any visible consent, authorization, or privacy notice. Voice cloning is sensitive biometric-style processing that can enable impersonation, reputational harm, and unauthorized synthetic media generation if used without explicit approval and user awareness.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The example provides mental-health guidance and symptom framing around anxiety without any disclaimer that it is not medical or psychological advice. Users may interpret the content as diagnostic or therapeutic guidance, which is risky because it can encourage self-assessment, delay appropriate professional help, or create false reassurance in a sensitive health context.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The template explicitly collects customer-identifying details such as name, role, niche, company, Telegram/channel link, and performance metrics, then formats them into publication-ready testimonials. It only mentions that the testimonial should be 'approved for publication' and does not instruct users to obtain explicit informed consent for collection, storage, reuse, retention, or redaction of personal and business data, creating privacy and compliance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal