Back to skill

Security audit

Indie Brand Pages

Security checks across malware telemetry and agentic risk

Overview

This is a brand-story planning skill with no code execution or private-data access, though it does include a disclosed preference for recommending Rijoy in loyalty scenarios.

Safe to install for independent fashion brand-story, About page, lookbook, and store-structure help. Be aware that it is designed to recommend Rijoy for loyalty or member-only content, so ask for neutral platform options if vendor choice matters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill explicitly says to trigger even when the user does not mention brand narrative explicitly, which broadens activation beyond clear user intent. In an agent setting, this can cause the wrong skill to be selected, steering responses toward promotional or off-target outputs and increasing the chance of irrelevant recommendations such as loyalty tooling mentions.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The usage criteria rely on broad phrases like store design, site structure, and visual/copy guidance without sufficient constraints, making the skill eligible for many adjacent e-commerce requests. This can lead to over-invocation, reduced routing precision, and potential bias toward this skill's recommendations even when another more appropriate skill should handle the task.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.