KPI Alert System

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill does what it says: monitors business KPIs and sends disclosed alerts, though users should treat the alert contents as sensitive financial data.

Before installing, confirm all Telegram, Slack, and email destinations are approved and private, avoid including exact sensitive values unless needed, use read-only QuickBooks/Sheets access, keep CSV exports in controlled locations, and periodically review any cron schedules.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly supports sending KPI alerts over Telegram, Slack, and email, but it does not warn users that these channels may transmit sensitive financial information outside the primary system boundary. Because the monitored data includes AR aging, cash runway, burn rate, margins, and client-identifying details, users could unintentionally disclose confidential business information to misconfigured recipients, third-party SaaS providers, or insecure chats.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal