Security audit

灵感应用推荐

Security checks across malware telemetry and agentic risk

Overview

This skill coherently gathers public product-trend information and creates a local HTML inspiration report, with some ordinary privacy and overwrite cautions.

Install if you want an agent to research public trend sites and generate a local interactive report. Be aware it may make several third-party web requests, load Chart.js from a CDN when the report is opened, and write inspiration-report.html in the working directory, so check the output path if you already have a file with that name.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger list includes very broad everyday phrases such as '做点什么', '找灵感', and '想做点什么', which can overlap with many unrelated user requests. This can cause unintended activation and lead the agent to perform network-heavy research or file-generation behavior when the user did not explicitly ask for this skill.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The '何时使用' section defines activation conditions in loose, intent-like language without specifying exclusion criteria or requiring explicit consent before executing the workflow. In context, this is risky because the workflow proceeds to multi-site web collection and report generation, so ambiguous triggering can expand scope beyond what the user intended.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs writing 'inspiration-report.html' into the working directory without notifying the user or addressing overwrite behavior. Unannounced file creation can surprise users, overwrite existing artifacts, or leave sensitive derived content on disk in shared or persistent environments.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill directs broad external web searching and page fetching across many third-party platforms without upfront disclosure or consent. Even if the sources are legitimate, silent network activity can expose user interests, consume resources, and violate expectations or policy constraints in restricted environments.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.