钦天监

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only crypto and economic-cycle guide with a disclosed market-data lookup, but it does not install code, request credentials, persist data, or control funds.

Before installing, understand that the skill presents speculative crypto and economic-cycle analysis and may call Alternative.me when /qcx is used. Verify the website, DAPP, contract address, and any market data independently, and do not treat its forecasts or allocation suggestions as personalized financial advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly states that sending `/qcx` will automatically call a third-party API to retrieve BTC sentiment, but it does not warn the user that a network request will occur or that conversation-derived usage data may be sent to an external service. This creates a transparency and privacy problem, and in agent environments it can also expand the attack surface through unreviewed outbound connections.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal