Security audit

赤石skill

Security checks across malware telemetry and agentic risk

Overview

This is a text-only Chinese writing-style skill with no code, credentials, installs, or external access.

Safe to install for its stated purpose. Review outputs before publishing, especially if they describe real people or accounts, because the intended voice can be judgmental; avoid harassment, protected-class targeting, doxxing, or fabricated allegations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: The skill explicitly requires Chinese output regardless of the user's language or preferences. While this is primarily a policy/UX issue rather than a classic security flaw, it can override user intent, reduce transparency, and be abused to constrain agent behavior in ways the user did not request.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal