Security audit

德胧竞品分析报告

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward competitive-analysis report skill that researches public information and saves clearly named report files, with no hidden code or credential access found.

Install this if you want an agent to create competitive-analysis reports in your workspace. Review any proposed shell command before allowing it, and check output/competitor-analysis/ before rerunning if existing reports or sensitive business context matter.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill grants Bash despite its stated purpose being web research and report generation, which can be completed with WebSearch, WebFetch, Read, Write, and Edit. Unnecessary shell access expands the attack surface: adversarial inputs, future prompt changes, or model misbehavior could cause command execution, filesystem access, or unintended network activity beyond the documented workflow.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill instructs the agent to write multiple files automatically without telling the user up front that persistent artifacts will be created. This can surprise users, overwrite existing work in the target directory, or create unintended data retention, especially when reports may include client-sensitive business context entered by the user.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal