Back to skill

Security audit

Pet Food Compare

Security checks across malware telemetry and agentic risk

Overview

This is a single-file pet food comparison skill that asks the agent to gather public product information and present neutral, sourced tables, with no executable install or persistence behavior found.

This skill is reasonable to install if you want a Chinese-language assistant for pet food comparisons. Expect it to browse public product pages, public reviews, and image results, and to analyze product photos or screenshots you provide. Ask explicitly for your preferred language or script if Simplified Chinese is not desired, verify cited sources yourself, and do not treat its output as veterinary advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The skill hard-codes Simplified Chinese output, which can override a user's language preference and create an unnecessary policy constraint. While this is not a classic security exploit, it is a real safety/policy issue because it can reduce accessibility and cause the agent to ignore user-directed locale or language requirements.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The instructions require all output to be in Simplified Chinese and mandate converting Traditional Chinese source content into Simplified Chinese. This can force transformation of quoted or source-derived material against user preference, introduce fidelity issues, and conflict with broader language-handling policies.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.