Security audit

Pans Roi Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill is a local AI compute ROI/TCO calculator; its main caveat is that its trigger words are broad and could activate in ordinary finance discussions.

Install only if you want a local ROI/TCO calculator for AI compute or GPU sales scenarios. Review the formulas before relying on financial outputs, avoid feeding unnecessary confidential pricing data, and use the CSV export path carefully because it writes to the path you provide.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger phrases include generic business terms such as ROI分析, 成本对比, 投资回报, and 成本优化, which are likely to appear in normal conversation outside the intended narrow use case. Overbroad triggers can cause unintended invocation, leading the agent to activate the skill in unrelated contexts and potentially process sensitive commercial data or override more appropriate workflows.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger section lists invocation terms but provides no boundary conditions, required inputs, or exclusion rules, making accidental activation more likely. In a business-analysis skill, that increases the chance of misrouting user requests, producing misleading ROI output from incomplete data, or unnecessarily exposing sensitive pricing and infrastructure assumptions to the skill flow.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.