Investor Research

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent investor-research report generator with expected local report-writing behavior and no evidence of hidden data access or unsafe actions.

Before installing or using it, confirm where the report will be saved and avoid running it in a shared or sensitive directory if the report includes confidential fundraising details. Verify investor data, check sizes, partner names, and warm-introduction paths before outreach.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill instructs the agent to save a report into the current working directory, which implies file-write capability, yet no explicit permissions declaration or user-facing consent model is present. This creates a mismatch between apparent behavior and declared capabilities, increasing the risk of unexpected local file modification or use in environments that rely on permission metadata for policy enforcement.

Missing User Warnings

Low

Confidence: 93% confidence
Finding: The skill explicitly instructs saving output as a markdown file in the current working directory without warning the user that local files will be created or modified. While the action is not inherently malicious, silent writes can surprise users, overwrite existing artifacts, or violate least-surprise and sandbox expectations in agent environments.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal