Back to skill

Security audit

通过调用成均智能的HTTP API接口,检测文本中的敏感信息、语法错误、标点符号问题等

Security checks across malware telemetry and agentic risk

Overview

This content-checking skill sends user-provided text to a disclosed external API for its stated purpose and does not show hidden persistence or destructive behavior.

Install only if you are comfortable sending the text being checked to api.vsbclub.com under your API key. Avoid submitting secrets, regulated data, or confidential business content unless that provider is approved for your environment; the static scan and VirusTotal telemetry were clean.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README states that user text is sent to an external HTTP API for inspection, but it does not clearly warn users that their submitted content will leave the local environment and be processed by a third party. This creates a real privacy and data-governance risk, especially if users submit sensitive, regulated, or confidential text under the assumption the skill operates locally.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The conversational trigger phrase is very broad and can be invoked by ordinary user requests asking to check text for sensitive content. That creates an overbroad activation surface, increasing the chance the skill runs unexpectedly and transmits user-provided text to an external service without sufficiently explicit user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill transmits user-supplied text to a third-party remote API at api.vsbclub.com, but the file provides no user-facing notice, consent flow, or data minimization. In an agent-skill context, users may assume local processing, so this can leak sensitive prompts, personal data, secrets, or proprietary content to an external service unexpectedly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manifest clearly indicates that user-provided text will be processed by an external content-safety platform using an API key, but it does not disclose that submitted content may leave the local environment and be transmitted to a third party. This creates a real privacy and data-handling risk because users may unknowingly submit sensitive, regulated, or proprietary text to an external service without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.