CRM Entity Extraction

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed CRM automation, but it can write extracted contact data into a spreadsheet from broadly defined business messages without a clear approval or scoping gate.

Install only if you intend the agent to create CRM spreadsheet records. Use a limited test spreadsheet first, require explicit approval before each append, and confirm the source messages, extracted fields, destination sheet, and duplicate handling are appropriate for your organization.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The activation trigger, 'a business-related email or note containing CRM data,' is broad enough to match routine communications without strong scoping, user confirmation, or source constraints. In this skill's context, that broad trigger is directly tied to data extraction and persistence into a CRM spreadsheet, which increases the chance of unintended processing, privacy violations, and incorrect or unauthorized record creation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal