Back to skill

Security audit

Tech Trend Radar

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill generates technology trend reports, and its web research plus local report/event outputs are disclosed and aligned with that purpose.

Install only if you are comfortable with the agent browsing public web sources and storing generated reports plus event summaries in the workspace. Do not include confidential strategy, proprietary research priorities, or sensitive business context in prompts unless you are comfortable with that content appearing in saved report artifacts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The example trigger phrases are broad enough to match ordinary user requests such as weekly AI reports, developer tools trends, or SaaS changes, which can cause the skill to auto-activate in situations where the user did not explicitly ask for this specific workflow. In a research/report-generation skill, overbroad activation can steer the agent into a predefined reporting format, source-selection policy, and output path unexpectedly, reducing user control and potentially causing unintended file writes or context capture.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
The README is written entirely in Chinese and does not indicate that the skill should adapt to the user's preferred language, which can create a mismatch between user intent and skill behavior. While not directly enabling code execution or data exfiltration, this increases the chance of misinterpretation, hidden operational assumptions, and user confusion about what the skill will do, especially in multilingual environments.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs automatic saving of generated reports into persistent memory paths without any notice, consent, retention policy, or sensitivity check. Trend reports may contain proprietary prompts, internal research priorities, URLs, or strategic analysis, so silent persistence can create unintended data retention and later disclosure risks in shared agent environments.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill directs publication of structured report metadata to an event-bus JSON file without warning that summarized findings, timing, scope, and highlights will be externally exposed to downstream consumers. In multi-tenant or integrated environments, this can leak business intelligence, internal monitoring interests, or sensitive operational context beyond the user's intent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.