Investor Relations Manager

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed tool for generating investor-relations videos, but it should be used carefully because it runs an external npm project and may process sensitive financial data through OpenAI APIs.

Before installing, review the external GitHub repository and npm dependencies, use a dedicated OpenAI API key with appropriate limits, avoid entering confidential or unapproved financial disclosures unless your policy allows it, and review generated videos for accuracy and legal/compliance requirements before distribution.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 85% confidence
Finding: The skill directs the agent to run local commands that render a video and write output files, but it does not require an explicit user-facing confirmation or warning at the moment of invocation. This can cause unintended filesystem changes and resource usage, especially if the skill auto-triggers from broad financial-reporting keywords.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal