Back to skill

Security audit

New Visitor Cold Start

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only marketing planning skill for first-time visitor offers, with privacy and compliance considerations but no code or hidden access.

Safe to install from a security perspective. Before applying its recommendations to a live store, confirm cookie/consent requirements, popup UX rules, email-capture permissions, promotion stacking, and discount limits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill description casts a wide net across several adjacent marketing use cases, which increases the chance the agent invokes it for generic conversion or coupon requests without confirming first-visit, anonymous-user, or behavioral-targeting prerequisites. In practice, this can cause context drift and misapplication of behavior-based offer logic where another skill or a narrower workflow should be used.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The instruction to be 'pushy when vague' explicitly encourages the skill to proceed from underspecified requests and fabricate a full behavioral-targeting chain from minimal user input. That weakens routing specificity and can lead the agent to generate persuasive, behavior-based marketing recommendations without sufficient context, increasing the risk of inappropriate or non-compliant application.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.