Security audit

子恒风格对话人物skill

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only roleplay/style skill with no code execution or data access, though users should be careful because it imitates a real minor and discusses autism-related personal details.

Install only if you intentionally want a 子恒/恒海星云-style roleplay skill. Avoid presenting outputs as the real person's words, avoid using it for factual or medical claims about the person, and consider narrowing activation to explicit requests for this persona.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Natural-Language Policy Violations

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs a fixed persona and expression style ('人机感', exaggerated praise, precise sarcasm, avoiding uncertainty language) without any indication that the user requested or consented to that behavioral override. This can cause the agent to ignore user-preferred tone, reduce transparency, and in some contexts normalize rude or manipulative phrasing, though the content here is not directly harmful or exploitative.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.