Surplus Funds Recovery System

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill is not clearly malicious, but it automates sensitive people-finding, SMS outreach, signatures, and claim filing without enough privacy, consent, or legal-control guidance.

Review carefully before installing. Use only if you have a documented legal basis to process claimant data, contact recipients, collect signatures, and file claims in the relevant jurisdiction. Configure external providers deliberately, verify recipients manually, keep SMS opt-out handling and rate limits, and do not run outreach or filing steps automatically without human approval.

SkillSpector (4)

By NVIDIA

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README promotes automated skip-tracing and SMS outreach using third-party services without clearly warning that operators will process sensitive personal data and transmit it to external providers. In this context, the skill is specifically designed to locate individuals tied to foreclosure-related funds and contact them at scale, which raises privacy, consent, and regulatory risks if users deploy it without understanding those obligations.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The Quick Start directly instructs users to run automated skip-tracing and send SMS campaigns, but provides no warning about lawful handling of personal data, outbound messaging restrictions, or the risks of contacting wrong parties. Because these commands operationalize bulk data enrichment and outreach immediately, the omission makes misuse more likely and increases the chance of privacy violations, unauthorized processing, and noncompliant messaging.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly relies on skip-tracing, SMS outreach, and e-signature vendors, which implies transmission of personal data to third parties, but it does not clearly warn users about that data sharing or its privacy/compliance implications. In this context, the skill handles sensitive identity and contact information for foreclosure-related claimants, so omission of disclosure increases the risk of unauthorized processing, privacy violations, and regulatory noncompliance.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The manifest explicitly advertises SMS outreach, e-signature capture, skip-tracing, and claim filing, all of which involve sensitive personal data, external communications, and potentially legally significant actions. Presenting these capabilities without clear disclosure, consent requirements, privacy handling, or warnings about automated filing and outreach creates a real risk of misuse, non-compliant data processing, and unauthorized actions on behalf of individuals.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal