raai-price-probe-dogovornaya-20260421

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate customer-support automation skill, but it asks for broad customer-message, CRM, and refund-related authority without enough scoping or approval controls.

Review before installing. Use this only in a clearly selected support workflow, narrow the triggers, disable automatic refunds and CRM updates until reviewed by a human, and add privacy rules for customer identifiers, contact details, order data, LTV, payment/refund details, and complaint history.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The script claims to only assemble a distributable ZIP, but it also unpacks the newly built archive and executes `bash test/smoke-test.sh` from its contents. That creates an unexpected code-execution step in a packaging workflow, which is dangerous because operators may run the builder assuming it is non-executing, while any malicious or modified smoke test gains code execution on the build host.

Vague Triggers

High

Confidence: 93% confidence
Finding: The trigger list contains many broad, generic phrases like 'тикет', 'helpdesk', 'customer support', and 'поддержка клиентов' that are likely to match ordinary user conversation outside a deliberate invocation. This can cause unintended activation of the skill in unrelated contexts, leading to inappropriate access to customer-support workflows, CRM-connected behavior, or disclosure of support-oriented outputs when the user did not explicitly request this skill.

Vague Triggers

High

Confidence: 90% confidence
Finding: The activation condition 'Любое входящее обращение клиента' is effectively unlimited and gives the skill permission to process any incoming customer message without a precise boundary. In a multi-skill or shared assistant environment, this increases the chance of over-collection, accidental routing, or unauthorized handling of messages that should remain under another workflow or require explicit user consent.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrases are broad, generic operational requests such as designing channel strategy or automating support, which can easily overlap with normal user intent outside this specific skill. In an agent environment, that increases the chance of accidental invocation or routing to this skill when a user did not explicitly request it, potentially causing inappropriate behavior, context capture, or workflow hijacking.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The examples include numerous concrete personal and sensitive business data elements such as full names, CRM IDs, Telegram handles, email addresses, order numbers, complaint history, VIP status, LTV, refund amounts, and support case details. Even if presented as examples, this normalizes exposing realistic customer records in prompt artifacts and can lead to accidental disclosure, reuse of real data, privacy violations, or training-data leakage if the examples are copied into production systems.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The file contains numerous realistic customer-support examples with personal names, handles, order numbers, ticket numbers, payment/dispute scenarios, and customer-value data, but provides no warning about sensitive-data handling, minimization, or redaction. In a support-oriented skill, this can normalize copying customer data into prompts and increase the risk of privacy violations, regulatory issues, or accidental disclosure to external model providers.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The installer writes into a user-controlled path under the home directory and immediately copies files and creates a .env file without any confirmation prompt or dry-run. While this is common for installers, it is still a real safety issue because it can modify the user's environment unexpectedly, especially if the argument is mis-specified or the script is run from an untrusted bundle.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: # TONE-OF-VOICE # ═══════════════════════════════════════════════════ tone: default: "дружелюбный деловой" on_negative_sentiment: "спокойный эмпатичный" on_vip: "персональный профессиональный" on_legal_threat: "нейтральный официальный" address_form: "вы" use_emoji: false response_length: "medium" # ═══════════════════════════════════════════════════ # ВОЗВРАТЫ # ═══════════════════════════════════════════════════ returns: return_policy_days: 14 return_processing_days: "5-7 рабочих" auto_approve_return_under_rub: 1000 requires_reason_code: true # ═══════════════════════════════════════════════════ # CRM-ИНТЕГРАЦИЯ (опционально) # ═══════════════════════════════════════════════════ crm: enabled: false type: "bitrix24" # bitrix24 / amocrm / hubspot / freshdesk / zendesk api_url: "" api_key: "" auto_create_ticket: true auto_update_client_card: true required_fields: - "client_id" - "ticket_category" - "priority" - "channel" - "status" # ═══════════════════════════════════════════════════ # КАЧЕСТВО И NPS/CSAT
Confidence: 82% confidence
Finding: auto_approve

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal