养老规划助手

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed retirement-planning guidance skill with no code execution, persistence, credentials, or data transfer behavior.

Installers should treat this as financial planning guidance, not professional financial, legal, medical, or tax advice. Users should share approximate numbers when possible, avoid unnecessary personal details, and verify current China pension, insurance, and long-term-care policy details before acting.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger list contains very broad terms such as '养老金', '退休规划', and '如何养老', which can cause the skill to activate on ordinary financial or life-planning conversations beyond the user's intended scope. Overbroad activation increases the chance that users are routed into a specialized workflow that solicits personal financial details without clear consent or context.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The interaction guidance explicitly tells the agent to collect age, income level, and current retirement assets, which are sensitive financial and demographic data, but there is no privacy notice, minimization guidance, or indication that sharing is optional. In a retirement-planning context this creates a real risk of unnecessary over-collection and user disclosure of sensitive information without informed consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal