Vague Triggers
Medium
- Confidence
- 93% confidence
- Finding
- 这些中文触发词包含“我该怎么办”“帮我分析一下”等高频日常表达,明显会与普通对话重叠,导致技能在并非需要结构化决策流程时被误触发。误触发本身不是远程代码执行类问题,但会让代理在错误上下文中切换到该技能,并可能引导用户进入文件创建、记录和归档流程。
daily-decision-making
Security checks across malware telemetry and agentic risk
Overview
This is a transparent decision-journaling skill whose main risk is saving sensitive personal notes if the user chooses to create records.
Install this only if you want a persistent local decision journal. Before creating records, confirm the folder path, avoid unnecessary sensitive details about finances, health, relationships, or third parties, and review generated files before keeping or syncing them.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)
Vague Triggers
Medium
- Confidence
- 95% confidence
- Finding
- 英文触发词如“should I”“help me decide”“pros and cons”过于泛化,极易出现在普通咨询、闲聊或其他技能场景中,增加技能碰撞和非预期调用概率。在代理系统中,这类宽触发会放大错误路由风险,使后续记录、模板生成或建议流程在不合适的上下文中启动。
Missing User Warnings
Medium
- Confidence
- 91% confidence
- Finding
- 该技能明确指导“创建文件夹”“复制模板”,但未向用户清楚说明这可能在其笔记库或项目目录中产生写操作,也未要求确认目标路径或权限边界。在具备文件系统能力的代理环境中,这会造成未经充分告知的持久化写入、目录污染,甚至把个人决策内容写入错误仓库或敏感工作目录。
VirusTotal
65/65 vendors flagged this skill as clean.