Xiaolongxia Assistant

Security checks across malware telemetry and agentic risk

Overview

This appears to be a development-helper skill with command examples, not a hidden or self-executing payload.

Install only if you want an agent to help with plugin development workflows. Before running any generated install, publish, or rollback command, confirm the target project, registry/account, credentials, and expected side effects; prefer dry runs or backups where available.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill explicitly instructs the agent to provide directly executable install, publish, and rollback commands, but it includes no requirement to warn users about side effects, verify environment assumptions, or require confirmation before potentially changing the system. In a plugin-development context, such commands can install packages, modify local files, publish artifacts, or alter project state, increasing the risk of unsafe copy-paste execution by users.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal