LeadGenerator

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it presents fabricated business contacts as if they were real searchable leads.

Review carefully before installing. Treat all generated contacts as unverified synthetic demo data unless the publisher adds a real, disclosed data source with provenance and validation. Do not use the output for outreach, reporting, or paid lead delivery without independent verification and compliance review.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The script presents itself as a B2B lead generator and emits realistic-looking company names, phone numbers, emails, tax IDs, and addresses, but the records are entirely fabricated. In a business workflow, this can mislead users into treating synthetic data as real prospects, causing fraud risk, compliance issues, and operational harm if exported or acted upon.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly describes collecting contact data and exporting lead lists, but provides no privacy notice, lawful-use guidance, data provenance explanation, or handling constraints. In a lead-generation context, this can facilitate unauthorized collection, aggregation, and redistribution of business or personal contact information, increasing privacy, compliance, and misuse risk.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal