Security audit

App Website Funnel Cloner Expert

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed website, funnel, and app recreation helper, but users should be careful about external URL analysis and originality/IP risks.

Install only if you are comfortable giving the skill an OpenAI API key and letting it fetch and analyze URLs or content you provide. Use it on sites you own or are authorized to analyze, avoid confidential content unless you trust the configured APIs, and manually review generated outputs for originality, legal/IP issues, and possible brand confusion before publishing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The activation keywords are excessively broad and include generic phrases like 'analyze website', 'create similar', and 'new version', which can cause unintended invocation in unrelated contexts. In a skill that fetches third-party URLs and performs cloning-style analysis, accidental activation can lead to unnecessary external access, surprise data handling, and actions the user did not clearly authorize.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The workflow states that the agent will collect source material from provided URLs and extract HTML/CSS, but the skill does not prominently warn users up front that it will fetch and inspect third-party content. This reduces informed consent and can lead users to provide URLs without realizing the skill will perform network retrieval and potentially process external material, increasing privacy, compliance, and trust risks.

Vague Triggers

High

Confidence: 95% confidence
Finding: The keyword trigger pattern is extremely broad and includes generic phrases such as 'analyze website', 'landing page', 'redesign', and 'competitive analysis', which can cause the skill to activate in unrelated conversations. In a skill that performs external fetching, cloning analysis, and content generation, unintended invocation can expose user-provided URLs or content to downstream tooling and APIs without clear intent.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The manifest states that the skill uses curl, puppeteer, html2canvas, and an optional plagiarism-check API, but it does not disclose to users that submitted URLs and content may be fetched, rendered, screenshot, or transmitted to external services. This creates a data-transparency and privacy risk, especially if users provide private, authenticated, or sensitive business content for analysis.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Requiring an OpenAI API key for content generation implies that user prompts, pasted website/app content, or analysis artifacts may be sent to an external model provider, yet the manifest does not warn users about this transmission. Because this skill is designed to ingest competitor websites, funnels, and app descriptions, the undisclosed transfer of potentially proprietary material increases confidentiality and compliance risk.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal