剪贴板历史

Security checks across malware telemetry and agentic risk

Overview

This clipboard-history skill is purpose-aligned and local-only, but users should understand that clipboard text can be stored on disk if they run or adapt its sample code.

Install only if you are comfortable with clipboard snippets being saved locally. Do not enable the monitoring sample unless you explicitly want continuous clipboard polling, and clear or avoid using it around passwords, tokens, personal data, or confidential work.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The activation phrase includes very broad terms such as "剪贴板" and "clipboard," which are likely to appear in ordinary user conversation. That raises the chance of accidental invocation of a skill that can access, search, and persist clipboard contents, potentially exposing sensitive copied data without clear user intent.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill description does not clearly warn users that clipboard contents may be automatically monitored and written to disk in a local JSON file. Clipboard data commonly contains secrets, personal information, access tokens, and other sensitive material, so silent or unclear persistence creates a meaningful privacy and security risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal