机票产品需求评审

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Convex performance-audit skill with disclosed, purpose-aligned behavior and no hidden execution or persistence.

Safe to install for Convex performance work. Before letting it run diagnostics, confirm the target deployment and avoid using production Convex credentials unless you intentionally want production insights reviewed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The default prompt uses broad natural-language phrasing that directly invokes the skill by name and action, which can increase the chance of unintended activation when nearby user text resembles a trigger phrase. In an agent environment, ambiguous activation can cause the wrong skill to run on untrusted content, leading to incorrect processing or accidental disclosure of context to the skill.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal