市场数据洞察 · 竞品监控报告生成器

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent for market reporting, but its paid subscription and monitoring behavior needs user review before installation.

Install only if you are comfortable providing marketplace and payment-related credentials. Before using the professional tier, confirm the exact subscription terms, renewal behavior, cancellation path, monitoring duration, notification method, and what product URLs, ASINs, payment state, or report data will be retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger phrases include very broad everyday language such as '看看' and '查一下', which can cause accidental invocation in unrelated conversations. Because this skill can progress into paid reporting and persistent monitoring flows, overbroad activation increases the risk of unintended data collection, web access, or payment-related prompts being initiated without clear user intent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill describes continuous monitoring, price-change notifications, and automatic subscription renewal, but does not present clear user-facing warnings about ongoing background activity, retained targets, billing implications, or notification behavior. This is dangerous because users may unknowingly authorize recurring charges and persistent monitoring without informed consent, creating financial and privacy risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal