Back to skill

Security audit

Stainless Quote Generator

Security checks across malware telemetry and agentic risk

Overview

The skill appears to support normal quotation-management workflows, including price updates and sending quotes through business channels, with privacy precautions users should apply.

Install only if you are comfortable letting the agent help prepare and route quotation data through your configured business systems. Review customer names, phone numbers, addresses, prices, and recipients before approving any external send or CRM sync, and disable or avoid automatic update features where your organization restricts outbound network access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly describes sending quotation data through WeChat, email, Feishu, and CRM systems, which can expose customer names, phone numbers, addresses, pricing, and sales history to external services. Without clear disclosure, consent requirements, or data-handling safeguards, users may unknowingly transmit sensitive business and personal data outside the local environment.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The automatic price-update feature depends on fetching data from external pricing and logistics sources, implying outbound network activity that is not disclosed to users. While this is less severe than directly sending customer records, hidden network access can still create privacy, compliance, and operational risks, especially in restricted enterprise environments.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.