Security audit

Lingqu Banner Config

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it gives chat-triggered workflows enough authority to change shared campaign state and delegate backend promotion changes that users should review its scope before installing.

Install only in a controlled internal workspace where the agent is connected to the intended tracking sheet, chat groups, and promotion tooling. Before use, restrict who may trigger schedule, cancellation, and material-change flows, and require explicit project confirmation for terminal or backend-changing actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill defines routing based on very short natural-language cues such as '取消', '延期', and '换图', and the later routing section repeats these broad triggers without requiring project identification, actor validation, or confirmation. In a chat-driven workflow, this can cause unintended state changes or backend delegation from ambiguous conversational text, especially in group contexts where someone may mention these words without intending an operational command.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The 'single entry' rule says all Banner-related PM natural-language requests must enter this skill, but it does not define narrow boundaries for what counts as Banner-related input. Because the skill already uses fuzzy keyword routing and cross-table disambiguation, this broad capture rule increases the chance that unrelated or insufficiently scoped messages are absorbed and processed, potentially leading to incorrect delegation or spreadsheet state transitions.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger condition allows activation when 'anyone' in a group chat @mentions the agent and posts something resembling a schedule. In this skill, activation can lead to state-changing actions such as marking items cancelled, copying promotions, updating tracking records, and sending notifications, so an overly broad trigger increases the risk of unauthorized or spoofed operational changes from non-authorized participants.

Vague Triggers

High

Confidence: 96% confidence
Finding: The skill allows cancellation-like state changes based on broad phrases from 'anyone' such as '取消', '延期', or '黄了', and later reiterates that any person can trigger the cancellation flow. Because cancellation updates the shared tracking table to a terminal '已取消' state and instructs PMs to cancel backend reservations, an unrelated participant or ambiguous chat message could wrongly terminate active work. In this operational context, the trigger is especially dangerous because it acts on high-impact workflow state with weak authorization and loose natural-language matching.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The material-change trigger listens for casual phrases like '换物料', '换图', '换链接', and '换角标' in DM or group chat, which can be used in ordinary discussion and may not always represent a clear instruction to modify live campaign data. Although the document narrows execution by saying only the PM supplying materials is recognized and group requests are redirected to DM, the trigger language remains underspecified and could still cause unintended reconfiguration or approval resubmission if intent or project scope is inferred incorrectly.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal