Gaokao Calculus Bridge

Security checks across malware telemetry and agentic risk

Overview

This is a coherent educational math skill with disclosed local scripts and dependency installation, though its API-key declarations could be explained more clearly.

Install in a virtual environment, review the unpinned Python dependencies if reproducibility matters, and only provide API keys if you understand which integration needs them. Expect the skill to run local Python scripts for math generation and analysis, and be aware its broad triggers may activate for general contextual math requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The configuration declares required and optional secrets (OPENAI_API_KEY, GEOGEBRA_API_KEY, WOLFRAM_APP_ID) but provides no user-facing disclosure about why they are needed, which operations may transmit data to external services, or how those credentials are stored and used. This creates a real security and privacy risk because users or operators may supply high-privilege keys without informed consent, potentially exposing data to third-party APIs or enabling unintended billing and account misuse.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal