企业-核心供应链波动预警

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-only supply-chain risk analysis skill with disclosed web research and modeling behavior, and no evidence of hidden execution, credential access, persistence, or destructive actions.

Before installing, expect this skill to perform public web research and produce supply-chain risk reports, likely in Chinese. Treat financial and operating-impact estimates as analytical support, not as verified investment advice, and ask for sources or language adjustments when needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger '询问某企业是否经营稳定、发展前景（供应链维度）' is broad enough to match many generic company-prospect questions, which can cause this skill to activate outside narrowly intended supply-chain risk scenarios. Over-broad activation is dangerous because it may hijack unrelated business queries and steer responses into speculative supply-chain analysis, increasing the chance of misleading output and tool use on inappropriate prompts.

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: The skill description and instructions are written to require Chinese output and workflow without checking the user's language preference. This can degrade safety and usability by overriding user intent, causing inaccessible or unexpected responses, especially in multilingual environments where agents should honor user-selected language.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal