Back to skill

Security audit

Trade Hunter

Security checks across malware telemetry and agentic risk

Overview

This appears to be a disclosed B2B lead-generation skill, but users should handle contact data and outreach carefully.

Before installing, confirm you have a lawful basis to collect and use any business contact data, comply with email marketing and privacy rules, avoid bulk unsolicited outreach, and store/export lead files only in secure locations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly shows output of business contact emails and describes global company data collection, but it does not include any privacy, lawful-basis, anti-spam, or responsible-use guidance. In a lead-generation skill, this omission increases the risk that users will collect, export, and use contact data in ways that violate privacy, marketing, or platform policies, especially across multiple jurisdictions.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger conditions are overly broad and match generic sales-research requests such as finding customers or searching for companies. This can cause the skill to be invoked outside a clearly bounded scope, increasing the chance of unintended data collection, contact discovery, or use in contexts that bypass more appropriate review or consent checks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.