Stainless Client Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate CRM-style skill, but it describes automatic customer-data syncing and customer communications without clear approval or data-scope limits.

Install only if you will manually control integrations. Before connecting Feishu, WeChat, email, or calendar accounts, confirm exactly which customer fields can be synced, require review before any customer-facing message or document is sent, and use limited business accounts or scopes where possible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill advertises automatic syncing to Feishu plus automatic outbound messaging via WeChat and email, but provides no notice about what customer data is transmitted, under what trigger conditions, or what consent/approval is required. In a CRM context this can expose customer PII and business-sensitive sales data to external services or send unintended communications without operator awareness.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal