Security audit

盘古·skill

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for turning a user-specified knowledge base into a reusable skill, with broad but disclosed content access and no hidden code execution or exfiltration behavior found.

Install only if you intend to let the skill process the knowledge base, folder, document, or conversation range you specify. Use explicit targets, avoid broad full-knowledge-base runs on sensitive material unless needed, and review generated triggers before installing the output skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger examples use very generic phrases like “盘古” and “蒸馏知识库”, which can plausibly appear in ordinary conversation and unintentionally activate the skill. In an agent environment that can read knowledge bases and generate/installable outputs, accidental invocation can lead to unintended data access, processing, or workflow execution even without explicit user intent.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The installation and quick-start sections repeat the same ambiguous trigger wording without defining boundaries, making it more likely that users or upstream agents will invoke the skill unintentionally. Because this skill's purpose is to transform repository or document content into executable-style agent capabilities, accidental activation increases the risk of overbroad content ingestion and unintended artifact creation.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger list is broad and includes generic phrases like “盘古”, “蒸馏知识库”, and multiple aliases, which increases the chance of accidental invocation in unrelated conversations. Because this skill can proceed to read large portions of a knowledge base and drive a multi-step transformation workflow, unintended activation could expose user data or initiate actions the user did not mean to authorize.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: Allowing the AI to infer trigger keywords automatically without defined constraints makes the activation surface unpredictable and hard to audit. In practice, this can create hidden or overly broad triggers that fire on common language, leading to unintended execution of a skill that reads user content and conversation context.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly states that, depending on mode, it may read all files and folders in a knowledge base or analyze conversation history, but it does not present this as a prominent user warning before collection begins. This creates a consent and privacy risk: users may not realize the scope of data access, especially for complete distillation or task distillation modes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal