Back to skill

Security audit

NeoBoost GEO 服务

Security checks across malware telemetry and agentic risk

Overview

This NeoBoost skill is a small, disclosed integration description with an API-key requirement, but its trigger wording should be tightened to avoid accidental use.

Install this only if you intend to use NeoBoost and are comfortable providing a NeoBoost API key. Keep requests explicit, especially for management actions such as changing topics, competitors, materials, or aliases; the publisher should replace the open-ended trigger examples with precise supported intents and exclusions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill metadata description uses broad phrasing like '当用户询问类似内容时触发' without clearly bounding what requests should activate the skill. This can cause over-broad invocation, leading the agent to route unrelated brand, analytics, or competitive-intelligence queries into a capability that may access external services and account-scoped data.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The markdown trigger list ends with an ellipsis, which explicitly leaves the activation scope open-ended. In a skill that interfaces with an external API using a configured API key, ambiguous trigger scope increases the chance of unintended invocation, data exposure, or actions being taken for loosely related user requests.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.