Foreign Trade Leads

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: runs a Google Maps lead scraper and saves business contact leads locally, with privacy and compliance caveats for users.

Install only if you are comfortable running a local Selenium scraper. Confirm that scraping Google Maps and storing lead data is acceptable for your legal, compliance, and platform-use requirements, use moderate result counts, and handle the generated CSV carefully because it may contain identifiable business contact information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The manifest description includes broad trigger phrases like “获客” and “找客户,” which can match many generic business requests beyond Google Maps lead scraping. Over-broad activation can cause the wrong skill to run in unrelated contexts, leading to unexpected scraping, file creation, or collection of third-party business contact information.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill directs scraped lead data to be saved as CSV and lists fields including phone, address, website, and email, but it does not warn that these records may constitute sensitive business contact information or create compliance and handling risks. Users may persist personal or business-identifiable data to disk without understanding retention, sharing, or privacy implications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal