Back to skill

Security audit

Prospector

Security checks across malware telemetry and agentic risk

Overview

Prospector is a disclosed lead-generation skill that uses expected vendor APIs and local files, with privacy and credential-handling considerations users should understand.

Use revocable, least-privilege API keys and rotate them if you stop using the skill. Assume search criteria and contact data may be processed by Exa, Apollo, and Attio, and treat exported Desktop CSVs as plaintext files containing personal/business contact data that may be synced or backed up by your system.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill invokes shell commands, accesses environment variables, writes files, and performs network-backed operations, yet it declares no permissions or equivalent user-facing capability boundaries. This is dangerous because users and the host agent may not realize the skill can read secrets, persist data, and call external services, increasing the risk of overbroad execution and unintended data exposure.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The setup flow appends raw API keys into shell profile files, creating long-lived credential persistence in plaintext. This increases exposure because shell startup files are broadly readable by local processes under the user account, are easy to back up or sync unintentionally, and may later be inspected or logged by unrelated tooling.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill writes API keys to a local JSON config file in plaintext. Although chmod 600 reduces access, plaintext secret storage still creates residual risk from local compromise, backups, sync tools, accidental disclosure, and other software reading the file.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README states that results are saved to the user's Desktop as a CSV containing personal contact data, but it does not warn that this creates a local plaintext file with names, titles, emails, and LinkedIn URLs. Desktop storage is easy to overlook, may be backed up or synced automatically, and can expose personal data to other local users, support tools, or accidental sharing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow description explains that companies and contacts are searched and enriched through Exa, Apollo, and optionally Attio, but it does not explicitly warn that prospect and contact data will be transmitted to third-party services. This can lead users to process personal or sensitive business data without understanding the privacy, compliance, and contractual implications of sharing it externally.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states that setup stores API credentials securely in ~/.config/prospector/config.json, but it does not prominently warn users in the description or command flow that long-lived secrets are being persisted on disk in the home directory. This matters because local credential storage can be accessed by other local processes, backups, or accidental disclosure, and users may provide keys without informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill omits an explicit warning that enriched lead/contact data will be exported to a CSV on the Desktop. This is risky because Desktop is a highly visible, commonly synced location, and exported prospect data may contain personal or commercially sensitive information that can be exposed to other users, backup systems, or cloud sync tools.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The setup process sends user-supplied API keys to third-party services for validation without an explicit warning that the key will be transmitted off-host. Even if validation is legitimate, the lack of clear consent and privacy notice can surprise users and expands the attack surface by immediately exposing credentials to network transit and external logging at the provider.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script exports lead records, including contact names, emails, and LinkedIn URLs, to a predictable local Desktop CSV path without any consent gate, warning, or data-minimization control in the export path. In the context of a prospecting skill that handles personal/business contact data, silent local persistence increases the risk of unintended disclosure to other local users, backup/sync services, or malware inspecting common user folders.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The Attio sync path transmits collected company and personal contact data to an external CRM once invoked, but the code path itself does not enforce an explicit disclosure or confirmation about the outbound sharing. Because this skill aggregates third-party prospect data, pushing it into another external system can create privacy, compliance, and data-governance issues if users are not clearly informed and able to limit what is sent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.