Back to skill

Security audit

Web3 Target Team Research

Security checks across malware telemetry and agentic risk

Overview

This skill is a web3 lead-research tool, but it asks for nonstop background automation and systematic collection of personal Telegram handles, so it needs Review before installation.

Install only if you intentionally want a persistent lead-research workflow that collects and stores personal Telegram handles. Before use, remove or avoid the cron and auto-respawn setup, require explicit confirmation before writing CSV files, limit collection to public business contacts, and set clear run limits and deletion rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
This is a true vulnerability because the file instructs creation of a persistent cron job that repeatedly checks for and respawns subagents without a fresh user request. That establishes ongoing autonomous behavior and resource consumption beyond the bounded scope of a normal research skill, and could continue operating unnoticed until manually disabled.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This is a true vulnerability because the HEARTBEAT.md instructions create durable, indefinite behavior by telling hunters to keep searching until told to stop. Embedding self-perpetuating operational instructions in workspace state increases the chance that autonomous activity continues across later sessions without the user's active awareness.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The workflow explicitly instructs perpetual operation ('RUN 24/7 UNTIL DERRICK SAYS STOP') and immediate respawning of subagents after completion or timeout. That removes normal task boundaries and can cause uncontrolled automation, excessive resource consumption, and persistent privacy-harming collection behavior beyond what a bounded research skill should do.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The workflow directs shell access to specific local filesystem paths and commands such as cat, cut, sort, and grep against user-local CSV files. A research skill should not assume or instruct direct local shell interaction with private files without clear authorization and safety boundaries, because it expands access to local data and can normalize unsafe file operations.

Description-Behavior Mismatch

Low
Confidence
82% confidence
Finding
The workflow broadens the targeting criteria from the skill's stated '$10M+ funding' scope to include '$1M+ ARR,' which is a scope expansion not reflected in the manifest. While not the most severe issue by itself, this mismatch weakens user expectations and can lead the agent to gather data on a wider set of companies and individuals than intended.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill description is broad enough to be invoked during general lead generation or research requests, which increases the chance of unintended activation. In this case that is more dangerous because the skill performs privacy-sensitive collection of personal Telegram handles and writes results to persistent files, so an overbroad trigger can cause unexpected data harvesting.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The example command 'Hunt for crypto teams from [SOURCE]' is vague and could match ordinary research requests without conveying that the skill will verify personal Telegram accounts and store contacts. Because the workflow includes parallel subagents and persistent CSV updates, vague invocation materially raises the risk of silent over-collection and unintended side effects.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The start command trigger is ambiguous and may activate from broad prospecting instructions, causing the skill to launch subagents and begin contact harvesting without sufficiently specific user intent. In the context of outreach targeting and contact list building, that ambiguity meaningfully increases privacy and automation risk.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill is expressly designed to collect and verify personal Telegram handles for outreach, but it provides no privacy warning, consent guidance, or limits on storing personal contact data. This is especially risky because the targets are individuals associated with companies, making the workflow a structured contact-harvesting process that could enable spam, profiling, or misuse of personal identifiers.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Appending verified contact data to master CSV files creates persistent local records of personal identifiers without warning the user that files will be modified and data retained. That persistence increases the chance of unnoticed accumulation, downstream sharing, and unauthorized reuse of collected contacts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This is a true vulnerability because the skill directs persistent automation, workspace modification, and ongoing background execution without any user-facing disclosure or confirmation. In context, a lead-research skill does not need hidden cron jobs, file edits, or autonomous respawn loops, so the mismatch makes the behavior more dangerous rather than less.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow instructs the agent to add all valid contacts to a CSV and save frequently, causing repeated persistent writes without user-facing disclosure or confirmation. Silent modification of local files is risky because it can create an undisclosed data store of scraped personal information and may overwrite or pollute existing datasets.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow also mandates writing unsuccessful targets and notes into a second CSV file, again without clear warning that persistent data will be created or altered. This compounds the privacy and transparency issues by generating additional local records about individuals and organizations outside explicit user acknowledgment.

Ssd 3

High
Confidence
99% confidence
Finding
The core workflow is to find and store individual Telegram contacts for targeted crypto teams, which is systematic aggregation of personal contact data for prospecting. In context, this is more dangerous because the skill is explicitly designed to build contact lists at scale, turning public breadcrumbs into a structured outreach database that can facilitate spam, harassment, or targeted social engineering.

Ssd 3

High
Confidence
99% confidence
Finding
The instruction to 'Add ALL contacts that pass verification' and save them persistently encourages bulk aggregation rather than limited, necessity-based research. This materially increases privacy harm because it maximizes collection volume of individual contact identifiers and creates a reusable database for downstream targeting.

Ssd 4

High
Confidence
99% confidence
Finding
The workflow escalates from public company research to identifying employees, correlating identities across platforms, and then guessing Telegram usernames from real names when direct matches fail. That stepwise identity correlation and handle-guessing is highly dangerous because it is designed to uncover personal accounts beyond what users have directly exposed for this purpose, enabling intrusive deanonymization and targeted abuse.

Ssd 4

Medium
Confidence
96% confidence
Finding
By framing the activity as nonstop, retry-on-failure, and continuously respawned, the document amplifies the cumulative harm of the privacy-invasive collection process. Persistence and automation make the identity-correlation workflow far more dangerous in context because they scale collection, reduce friction, and increase the likelihood of mass profiling and abuse.

Session Persistence

Medium
Category
Rogue Agent
Content
To run hunters continuously:

1. Create a cron job that checks hunter count every 10 minutes
2. Add to HEARTBEAT.md to auto-respawn if < 3 hunters active

See [references/auto-hunt-setup.md](references/auto-hunt-setup.md) for cron configuration.
Confidence
96% confidence
Finding
Create a cron job that

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.