product-analysis

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed product-analysis workflow that creates PRD, tracking, ticket, and diagram documents; its file writes and local validation scripts are purpose-aligned but users should be aware outputs are persisted.

Install only if you want an agent to generate product-analysis documents and save them as files. Before use, verify the output directory, avoid placing highly sensitive requirements in generated artifacts unless your workspace retention is acceptable, and review any analytics/tracking sections for privacy, consent, retention, and data-minimization requirements before handing them to engineering.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (11)

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The workflow instructs the agent to execute shell and Python commands against a path derived from `/tmp/pa_skill_base.txt`, which expands the skill from document analysis into code/script execution. Even though the commands are framed as QA checks, they create an execution surface where a manipulated base path or replaced script could cause unintended command execution or unsafe file access.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The workflow directs the agent to read an output directory from `/tmp/pa_output_dir.txt` and write generated files there, including final artifacts. Using a path sourced from a world-writable temp location can enable path manipulation, unintended overwrites, or writes outside the intended workspace if the temp file is tampered with.

Context-Inappropriate Capability

Low

Confidence: 89% confidence
Finding: The workflow instructs writing generated artifacts to a filesystem path read from `/tmp/pa_output_dir.txt` without requiring explicit user confirmation of the destination or validating the path. If that path is attacker-controlled or stale, the skill could overwrite unintended files or deposit sensitive output into an unsafe location.

Missing User Warnings

Low

Confidence: 92% confidence
Finding: The skill instructs creating persistent output directories under `/mnt/user-data/outputs/` and writing multiple files without requiring an explicit user-facing disclosure or confirmation about filesystem modification. While the writes are aligned with the tool's document-generation purpose and stay within an expected workspace, silent persistence can surprise users, leak sensitive business content into retained storage, and make accidental data retention more likely.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The PRD template includes extensive analytics and monitoring fields such as user_id, behavioral events, device/performance data, and business exception tracking, but it does not require privacy notice, consent, data minimization, retention limits, or lawful-basis review. In a reusable product-analysis skill, this omission can propagate privacy-invasive designs into downstream PRDs and implementations, increasing the risk of noncompliant telemetry collection and unauthorized profiling.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The template explicitly includes `user_id` as a default tracking parameter for page events without any privacy notice, minimization guidance, or constraints on when persistent identifiers are appropriate. In a product-analysis skill that generates analytics specs for downstream implementation, this can normalize unnecessary user-level tracking and lead teams to collect identifiable data without consent, legal review, or anonymization.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The 'common user attributes' section encourages all implementations to define and collect user-level attributes including `user_id`, login state, and business attributes, but provides no warning about sensitive data classification, purpose limitation, or prohibited attributes. Because this is a reusable template, the omission can propagate privacy-invasive telemetry patterns across multiple products and features at scale.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The template operationalizes extensive telemetry collection across user, device, performance, API, and error data, including identifiers such as user_id, device_id, page_url, api_url, and error details, without placing clear privacy, minimization, consent, and sensitive-data handling warnings alongside the implementation guidance. In a product-analysis skill that generates PRDs,埋点方案, and developer tickets, this can propagate over-collection into downstream implementation and increase the risk of privacy violations, sensitive log leakage, and noncompliant tracking by default.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The markdown directs the agent to save files to disk with no warning about file creation, overwrite behavior, or where data will be stored. In an agent context, silent filesystem writes are risky because users may not expect persistent side effects, and an attacker could influence the target path through `/tmp/pa_output_dir.txt`.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The Draw.io fallback directly writes XML content to a `.drawio` file in a path derived from `/tmp/pa_output_dir.txt` without user warning or path validation. This introduces the same unsafe persistence and unintended overwrite risks as the main output flow, with additional exposure because a fallback path may be exercised automatically when MCP is unavailable.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The document explicitly instructs the agent to create and write `.drawio` files to a path derived from runtime state, and even provides a fallback to write files directly if the MCP tool is unavailable. There is no requirement to obtain user confirmation, warn about overwrite risk, or constrain filenames/paths beyond a convention, which creates a real risk of unintended file creation or overwriting in an agent context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal