Chuwi Minibook

Security checks across malware telemetry and agentic risk

Overview

This skill is a small, disclosed local system-monitoring helper with no install scripts, persistence, network behavior, or credential handling shown.

Before installing, expect it to expose local device status in chat when invoked. Use explicit prompts such as "system info" or "battery status" to avoid accidental activation, and verify that the required psutil/chuwi_minibook Python module is actually available because the artifact itself does not include implementation code.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: Including the device-name term 'chuwi' as a trigger is ambiguous because it may appear in normal conversation about hardware rather than as a deliberate request to run the skill. In this context, accidental activation could still expose local system status, though the scope is limited to monitoring data rather than direct code execution or modification.

Vague Triggers

Low

Confidence: 84% confidence
Finding: Including the device-name term 'chuwi' as a trigger is ambiguous because it may appear in normal conversation about hardware rather than as a deliberate request to run the skill. In this context, accidental activation could still expose local system status, though the scope is limited to monitoring data rather than direct code execution or modification.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal