Back to skill

Security audit

Tasteprint

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent recommendation-profile purpose, but it asks to collect and persist sensitive shopping, social, content, and ChatGPT behavior with incomplete scoping materials.

Review this carefully before installing. It is not showing exfiltration or destructive behavior, but it is designed to build a persistent local profile from shopping, content, social, and ChatGPT activity. Only use it if you are comfortable granting browser access to signed-in accounts, and verify that the missing reference files or equivalent controls clearly explain consent, retained data, review, and deletion before running collection.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The activation criteria are extremely broad and include ordinary conversational signals like 'remember', 'I usually', 'avoid', ownership, purchases, and behavior analysis. This can cause the skill to trigger in contexts where the user did not clearly intend profile building or preference persistence, increasing the chance of silent collection, storage, or use of sensitive behavioral data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill directs collection, analysis, and storage of browsing, shopping, social, and platform data into a persistent profile, but the top-level user-facing description does not clearly warn about the privacy implications or the scope of data retention. Even though the workflow mentions consent gates internally, the broad activation plus insufficient up-front disclosure creates a real risk of users not understanding that sensitive cross-platform behavioral data may be collected and stored.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.