Back to skill

Security audit

Anti 996 Reminder

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed wellness reminder skill that sends scheduled chat reminders and stores local check-in points, with no evidence of hidden or malicious behavior.

Before installing, review the cron commands, replace the sample account and recipient IDs, and enable the schedules only for intended chats. Treat points.json as personal habit data, and prefer direct-message or explicit-command use if the bot is present in group conversations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The query triggers include very broad terms such as “积分” and “打卡”, which are common in normal chat and can cause unintended activation of the skill. In a messaging channel, this may lead to noisy responses, accidental disclosure of a user's check-in stats in the wrong context, and a degraded user experience, though it is not a high-severity security issue.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.