Security audit

李继刚认知工具箱

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Chinese cognitive-prompt toolbox with broad keyword activation, but no evidence of code execution, data access, persistence, or deception.

Install this if you want Chinese-language cognitive prompting and writing formats. Be aware that common words like “定义”, “类比”, or “公文” may trigger the skill unintentionally on keyword-based platforms; prefer explicit tool names or disable broad auto-activation if available. I found no artifact evidence of malware-like behavior, credential handling, network calls, file access, or persistence.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The top-level trigger list includes broad everyday terms such as '抽象', '定义', '类比', and '探索' that are likely to appear in normal conversation. In a skill system that auto-activates on trigger phrases, this can cause unintended invocation, leading to prompt-context hijacking, unexpected behavior changes, or accidental activation during unrelated tasks.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: Several per-tool activators are also generic phrases like '追问', '本质', '定义', '打分', and '探索', which creates many opportunities for accidental matching. Because the skill is designed to alter the model's reasoning style automatically, vague triggers increase the risk of unintentional mode switching and unreliable behavior across unrelated prompts.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The usage section explicitly states that the AI auto-activates a tool when its name is mentioned, but it does not define activation boundaries or disambiguation rules. This makes invocation semantics unsafe and predictable exploitation easy: an attacker or even ordinary text can mention tool names to steer the assistant unexpectedly.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger list contains very generic keywords such as “抽象”, “定义”, “矩阵”, and “公文”, which are likely to appear in ordinary user requests unrelated to this skill. In a keyword-activated system, this can cause unintended invocation, prompt hijacking of normal conversations, or routing users into a specialized prompt without clear consent, increasing the chance of confusing or policy-bypassing behavior.

Natural-Language Policy Violations

Medium

Confidence: 94% confidence
Finding: The prompt is written entirely in Chinese and defines a fixed Chinese output format, with no indication that the skill is intentionally locale-specific or any mechanism to adapt to the user's language. This can cause accessibility and usability failures for non-Chinese users and may lead to misunderstanding of the model's output, though it is not a direct security exploit in this context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.