Security audit

Data Analytics Assistant - 数据分析助手

Security checks across malware telemetry and agentic risk

Overview

This is a low-risk Chinese-language analytics prompt/template skill with no executable code, credential access, persistence, or hidden data handling.

Safe to install as a prompt/template skill. Be aware it is written for Chinese-language analytics workflows and may trigger on broad analytics requests. Review any future version carefully if it adds real Google Analytics integration, executable scripts, credentials, or write access; prefer narrow, read-only analytics access when using real data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The README presents invocation examples like "分析网站流量", "用户行为报告", and "转化率怎么优化" without any explicit boundaries, negative examples, or narrow activation context. These are natural everyday requests about analytics work, so they could cause unintended activation if the skill is matched on general user phrasing.

Natural-Language Policy Violations

Low

Confidence: 87% confidence
Finding: All user-facing instructions and example invocations are written in Chinese, and the document does not indicate that other languages are supported or that the user may choose their preferred language. This can be a language/locale policy issue when a skill implicitly constrains interaction language without opt-in or justification.

Natural-Language Policy Violations

Medium

Confidence: 91% confidence
Finding: This markdown file uses Chinese throughout the description, headings, and usage examples, which effectively forces a specific language for interaction. Under the policy, language constraints should either be optional for the user or clearly justified as region-specific; neither is stated here.

Natural-Language Policy Violations

Low

Confidence: 93% confidence
Finding: This markdown file presents all user-facing content in Chinese and does not indicate that other languages are available or that Chinese is a deliberate, user-selected locale. Under the policy, forcing a specific language without opt-in is a natural-language policy concern.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.