德胧P&L分析Skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent hotel P&L analysis skill, but it handles sensitive business financial data while leaving storage, sharing, and publisher trust boundaries unclear.

Install only if you trust the publisher’s claimed Delonix affiliation and are authorized to use the embedded and user-provided hotel financial data. Treat store-level P&L, staffing, revenue, and benchmark data as confidential; avoid using live business data unless storage and any cross-skill/tool sharing are acceptable in your environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The document claims that all data stays in the user's private space and is never transmitted externally, but elsewhere it explicitly describes calling other skills and incorporating external benchmarks. That creates a misleading security/privacy guarantee that could cause operators or users to share sensitive hotel financial data under false assumptions about data flow and trust boundaries.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal