低代码Ai 7bbc51

Security checks across malware telemetry and agentic risk

Overview

This is a low-risk markdown learning skill with messy merged content and broad triggers, but no executable behavior, credential access, persistence, or data movement.

Install only if you are comfortable with a noisy learning-note skill that may activate for unrelated BBC or English-listening requests. It does not show signs of malware or privileged access, but the publisher should clean up the merged content and narrow the triggers.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The manifest advertises a low-code AI coding skill, but most of the body is unrelated merged BBC/news and English-listening content. This semantic mismatch can cause the wrong skill to activate, mislead users, and bypass review expectations by hiding irrelevant or unexpected behavior/content under a coding-related label.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger phrase includes the very broad term "BBC," which is common and context-ambiguous. Broad triggers increase the chance of unintended activation and can hijack unrelated user requests, especially in multi-skill environments.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The activation condition "用户需要低代码AI相关帮助" is broad and loosely scoped, making it easy for the skill to activate on many ordinary coding requests. Because the skill content is noisy and partially unrelated, accidental activation is more dangerous here than in a tightly curated skill.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The activation condition for the merged sub-skill is broad enough to trigger on generic references to the skill name or topic. Given the document's mixed and duplicated content, this can route users into irrelevant material and reduce trust in skill selection.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: An activation rule based on users saying "BBC" is excessively broad because the term appears in many unrelated contexts. This can cause unintentional skill selection and content injection into conversations that did not request this skill.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: This activation condition again relies on generic references to the skill/topic and is too permissive for reliable routing. In a file already showing semantic drift, permissive activation increases the chance that unrelated or low-quality merged content will be surfaced unexpectedly.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: Using "BBC" as a trigger phrase is overly generic and likely to collide with unrelated conversations. Because the skill is presented as a coding skill while containing other content, this broad trigger meaningfully raises the risk of incorrect activation.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The final activation condition remains ambiguous and too broad, continuing the pattern of permissive routing across duplicated merged sections. This creates a practical risk of accidental invocation and user confusion rather than direct code execution compromise.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger phrase uses a common term in a way that is not unique to this skill, making false activations likely. In context, the content mismatch and repeated merges make such false activations more harmful because the returned material may be irrelevant or misleading.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal