Security audit

Finance Idp

Security checks across malware telemetry and agentic risk

Overview

This is a simple finance career-development planning skill with no executable code or privileged behavior.

Safe to install based on the provided artifacts. Users should confirm the skill is being used for finance-role development planning when it activates, and avoid sharing employee assessment details they would not want processed by their agent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger keyword '个人发展计划' is broad and likely to match many ordinary HR, coaching, or career-development requests that are not specifically intended for this finance-focused skill. This can cause unintended invocation, leading the agent to route users into a specialized workflow with potentially irrelevant or misleading outputs.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The keywords '能力差距', '人才发展', and '培训计划' are generic enterprise terms that can appear in many non-finance contexts, making accidental triggering likely. In an agent environment, vague triggers increase the chance of incorrect skill selection, which can degrade reliability and expose users to inappropriate recommendations based on the wrong domain assumptions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal