Back to skill

Security audit

Turbo Poster 9000

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward social-content generator that sends provided text and image/logo URLs to a disclosed external DeepContent API.

Use this for non-sensitive marketing content. Avoid submitting confidential event details, private speaker photos, proprietary templates, unreleased partnership information, or internal asset URLs unless you are comfortable sending them to the DeepContent service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to transmit user-provided text and asset URLs to a third-party API, but it provides no user notice, consent step, or data-handling warning. This creates a real data exfiltration/privacy risk, especially because uploaded URLs may reference sensitive internal assets, private headshots, logos, or event materials that users may not realize are being sent off-platform.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.