竞品情报监控系统

Security checks across malware telemetry and agentic risk

Overview

This skill is unlikely to harm your computer, but it appears to sell competitor research while generating mostly generic and partly random reports.

Treat this as a Review item before installing. It does not show malware-like behavior, but do not rely on its reports for pricing, marketing, investment, or product decisions unless the publisher clearly labels the output as synthetic/template-based or adds real data collection, source attribution, and deterministic review analysis.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill advertises competitor analysis from a provided name/link, but the implementation never uses the URL to retrieve or validate real competitor data. This can mislead users into trusting fabricated output as evidence-based intelligence, creating integrity and decision-risk issues in a business-analysis context.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The review-analysis function always generates random sentiment results via Math.random() and ignores any actual review input, yet presents the output as analysis. In this skill’s competitor-intelligence setting, that is dangerous because it produces nondeterministic, invented business signals that may drive pricing, marketing, or product decisions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal