Back to skill

Security audit

Auto-Report

Security checks across malware telemetry and agentic risk

Overview

This is a transparent report-scheduling helper, but users should approve the exact sources, schedule, and destination before enabling recurring delivery.

Install only if you want help creating scheduled reports. Before adding any cron job, confirm the exact files or systems it may read, the recurrence schedule, the chat or document destination, the audience, and whether sensitive fields should be redacted or tested in a private destination first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list includes broad generic terms such as "report" and "总结" that are likely to appear in many normal conversations, increasing the chance this skill activates when the user did not intend to schedule reporting or send content to channels. In this skill’s context, unintended activation is more concerning because the skill supports automation, scheduled execution, and channel delivery, which can lead to unintended task creation or data sharing rather than just a harmless suggestion.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly promotes delivering generated reports to chat channels and creating Feishu documents, but it does not warn about privacy, sensitive data exposure, audience scope, or retention risks. Because the workflow encourages reading data sources and then publishing summaries on a schedule, users may unintentionally automate disclosure of internal, personal, or regulated information to persistent or broadly visible destinations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.