Back to skill

Security audit

Cinematic Business Card Prospecting

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent prospecting assistant, but it handles business-card contact data and sends real outreach emails without enough disclosed privacy, consent, credential, retention, or bulk-send controls.

Review carefully before installing. Use only with contacts you are allowed to process and email, use a dedicated or app-password SMTP account, confirm every recipient and message before sending, avoid bulk outreach until rate limits and opt-out handling are clear, and verify how images, extracted contact data, research results, and tracking records are stored and deleted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly documents commands for sending outreach emails and lists SMTP credentials as a requirement, but it does not warn that the tool contacts external parties, may process personal data from business cards, or can be abused for unsolicited bulk messaging. In a prospecting skill whose core purpose is outbound email automation, the lack of clear consent, anti-spam, and credential-handling guidance increases the risk of misuse, policy violations, and unauthorized messaging.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly processes business card photos, performs company research, and sends outbound emails using SMTP credentials, yet the documentation does not clearly warn about handling personal data, credential storage, consent, or legal/compliance obligations. In a sales-automation context, this omission increases the risk of privacy violations, misuse of harvested contact data, and insecure handling of email credentials.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The description advertises end-to-end prospecting and outreach in broad terms without stating any trigger constraints, approval gates, or scope limits. In a sales automation skill that can process business cards and send emails, this ambiguity increases the chance of unintended or overly broad activation leading to unsolicited contact, privacy misuse, or spam-like behavior.

Natural-Language Policy Violations

Low
Confidence
84% confidence
Finding
The description explicitly promotes sending outreach emails but does not mention recipient consent, lawful basis for contact, or locale/language handling. In the context of business-card-based prospecting, this creates risk of unauthorized processing of personal data and non-compliant outreach under anti-spam and privacy regimes.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.