Client Project Manager

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local freelance-management skill, but it will create persistent files containing client, billing, invoice, and payment details.

Install this only in a private workspace and keep ./freelance-data/ out of shared folders and source control. Review generated invoices, reminders, and update emails before sending them, and avoid storing raw bank details in config.json unless you are comfortable protecting that local file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly stores client names, contact emails, invoices, project notes, and business communications in local JSON/HTML/Markdown files without any warning, consent step, sensitivity labeling, or guidance on securing that data. While local persistence is functionally expected for this type of skill, it creates a real privacy and data-handling risk because users may unknowingly write confidential client and financial information to disk in an unprotected workspace.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal