Security audit

技术报告生成

Security checks across malware telemetry and agentic risk

Overview

This is a simple report-writing template skill with no code execution, credential access, network use, or persistence.

This skill appears safe to install for report drafting. Users should review generated reports for accuracy and be aware that the skill may trigger for broad writing requests, but it does not ask for sensitive access or perform system actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The description says to use the skill when the user asks to "write, create, or draft a report, summary, or analysis document," which is broad and overlaps with common requests in many contexts. It does not define tighter trigger boundaries or exclusion cases, so the skill could be invoked for routine writing tasks beyond its intended scope.

Natural-Language Policy Violations

Low

Confidence: 79% confidence
Finding: The manifest sets the display name to Chinese ("技术报告生成") while the rest of the skill content is in English, with no indication that the skill is region-specific or that users can choose their language. This can indicate a locale policy issue if the organization expects language choice or consistency unless explicitly justified.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal