Back to skill

Security audit

AI Co-Founder Engine (Scored Startup Builder)

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a startup strategy helper, but it may send raw business ideas or prompts to external research/search services without clear user disclosure.

Review this skill before installing if you plan to discuss confidential startup ideas, customer data, strategy, or unreleased product details. Use it only when you are comfortable with external research/search providers receiving query text, or modify it to require explicit consent and redact sensitive context before network calls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The README describes activation in very broad terms ('Just describe your idea'), which can cause the skill to trigger during ordinary startup-related conversations rather than only when the user explicitly intends to invoke it. Overly broad invocation increases the chance of unintentional routing into the skill, exposing user prompts to unexpected processing and making prompt-scope or tool-use issues in downstream components more likely to matter.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The function issues external research queries via `research(q, context)` using user-supplied idea content without any disclosure, consent check, or indication that data may leave the local environment. In a strategy/planning skill, this can expose sensitive business ideas or contextual data to external services unexpectedly, creating privacy and data-handling risk even if there is no obvious malicious behavior.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The fallback search function transmits the user's raw query to DuckDuckGo, an external third-party service, without any indication in this file that the user is informed or that sensitive input is filtered first. In an agent/tool-routing context, queries may contain private prompts, secrets, internal data, or user-provided sensitive content, so silent external transmission creates a real privacy and data-handling risk.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.