Back to skill

Security audit

Lead Researcher

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed B2B lead-research helper with privacy and compliance caveats, but the artifacts do not show hidden execution, persistence, exfiltration, or automatic outreach.

Install only if you are comfortable using it for lawful B2B prospecting. Configure any search or enrichment providers with scoped credentials, avoid sensitive personal data and platform scraping that violates terms, verify contact data before use, and make sure any outreach complies with privacy and anti-spam rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
Accepting requests in broad natural language without a clearly bounded trigger or operating scope can cause the skill to be invoked for unintended lead gathering, profiling, or outreach tasks. In a sales-enrichment context, that ambiguity increases the chance of privacy-invasive collection, overbroad scraping, or generation of inappropriate targeting content beyond what users or platform policy intended.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly supports contact-data enrichment and personalized outreach generation but provides no privacy, consent, retention, or acceptable-use guidance. In this context, that omission is risky because the skill is designed to collect personal/business contact details and produce outbound messaging, which can facilitate privacy violations, spam, or noncompliant data processing if used carelessly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.