Hot Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill fetches public hot-list data from disclosed platforms and creates local analysis files, which fits its stated market-sentiment analysis purpose.

Before installing, understand that using this skill will make requests to Toutiao, Baidu, Weibo, Douyin, and Zhihu public endpoints and will save intermediate JSON plus an HTML report in the current workspace. Use it for informational market-sentiment analysis only, and review outputs before relying on them for investment decisions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger conditions include broad everyday phrases such as '今天热点' and '舆情分析', which can cause the skill to activate in contexts the user did not intend. Because activation leads to multi-site network access, code execution, and file creation, accidental triggering increases the risk of unnecessary external requests and local side effects.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill performs broad external data collection from five platforms and writes raw JSON, state files, and HTML reports locally, but the workflow does not require clear disclosure or consent before doing so. This is dangerous because it expands the data-access and persistence surface without informing the user, which can violate user expectations and organizational controls.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal