守拙 — 中国基金经理心智模型

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Chinese value-investing persona with no code execution or data access, though its broad finance triggers may activate it during ordinary investment questions.

Install only if you want Chinese stock and fund questions framed through this value-investing persona. Verify current market data independently, do not share brokerage credentials or private account details, and use the exit phrase when you want normal assistant behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrases are broad investment terms such as '价值投资' and '基金配置' that are likely to appear in ordinary financial discussions, so the skill may activate when the user did not explicitly intend to invoke it. Unintended activation can override the expected assistant behavior and inject rigid persona-driven financial guidance into unrelated or general queries, which is risky in a high-stakes investing context.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The invocation examples include generic requests like asking whether a stock is worth holding long term or how to adjust fund allocation, which are ordinary user intents rather than unambiguous activation commands. This increases the chance the skill engages silently during normal conversation and steers the response into a fixed framework without the user's informed consent.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal