Comics

Security checks across malware telemetry and agentic risk

Overview

The skill appears low-risk, but its comics-facing metadata and anime streaming-style instructions should be aligned before users rely on routing or expectations.

Before installing, check that the skill name, description, and instructions all describe the same product. Treat it as low-risk based on the available evidence, but expect possible confusion until the publisher clarifies whether it is for comics, anime streaming, or both.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill manifest says this skill is for comics reading, social interaction, fan creation, and merchandise shopping, but the body documents a different '正版动漫' streaming-video capability set. This mismatch can mislead users and downstream agents about what actions or data the skill actually handles, increasing the risk of inappropriate invocation, bad routing, or unsafe assumptions about functionality and permissions.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The headings, examples, and workflow describe a '正版动漫' experience that contradicts the declared 'Comics' skill purpose. In an agent ecosystem, this kind of inconsistent skill identity can cause prompt-routing confusion, user deception, and accidental exposure of irrelevant or unexpected features, especially when another system selects skills based on manifest metadata.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal