Back to skill

Security audit

Pc Health Check

Security checks across malware telemetry and agentic risk

Overview

This PC health-check skill performs broad but purpose-aligned local system inspection, with privacy and consent caveats users should understand before running full scans or saving reports.

Install only if you are comfortable with a local diagnostic scan that may reveal process lists, network ports, startup entries, drivers, devices, update posture, and recent system events. Review saved reports before sharing them, store them somewhere private, and use explicit commands rather than vague system-status requests when invoking the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README explicitly advertises collection of privacy-sensitive host telemetry including network connections, processes, startup items, listening ports, drivers, and recent system events, but it does not warn users about the sensitivity of that data or describe consent, retention, or safe handling. In an agent skill context, this increases the risk that users trigger broad local inspection without understanding that potentially sensitive operational and personal data may be surfaced in reports.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases are broad enough to match ordinary conversational requests like '检查一下系统状态', which can cause the skill to activate unexpectedly. Because this skill performs local system inspection and may generate detailed health reports, accidental invocation can expose sensitive host information or initiate scans the user did not clearly intend.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation describes scanning and file-saving features without warning that the output may contain sensitive system details such as host configuration, running processes, ports, device status, and update posture. Users may unknowingly expose private operational data or leave forensic artifacts on disk when using --save or silent modes.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script can write a detailed system health report to any user-supplied path without warning that the output may contain sensitive operational data such as processes, startup entries, ports, devices, and update history. In the context of a PC health-check skill, this increases the chance that sensitive inventory data is unintentionally persisted in shared, synced, or less-protected locations.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/health_check.cjs:23