Tp4
High
- Category
- MCP Tool Poisoning
- Confidence
- 98% confidence
- Finding
- 这是明显不匹配。描述声明了一个面向高校师生共创模式指导的实际业务能力,但代码并未实现相关分析、建议、团队组建、模式选择或问题解决功能,只是一个占位的示例程序。虽然代码没有显示隐藏能力或越权访问资源,但其主要用途与描述严重不符,属于“代码的主要目的与描述 materially 不同”的情况。
Security audit
师生共创模式指导-高校科技成果转化方法论
Security checks across malware telemetry and agentic risk
Overview
This is a Chinese-language advisory skill for university teacher-student startup collaboration, with no evidence of hidden access, persistence, or unsafe behavior.
Safe to install from an agentic-security perspective. Users should treat the commercialization, equity, governance, and intellectual-property suggestions as general educational guidance and consult qualified legal, financial, university technology-transfer, or business professionals before making binding decisions.
SkillSpector
By NVIDIA
Vulnerability Patterns
- MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)
Natural-Language Policy Violations
Medium
- Confidence
- 96% confidence
- Finding
- The manifest description is entirely in Chinese and presents the skill as a general-purpose guidance assistant, but it does not indicate that Chinese is optional or that the skill is intended only for Chinese-speaking users. Under the policy, forcing a specific language without user opt-in is a natural-language policy violation unless the locale restriction is clearly documented and justified.
VirusTotal
62/62 vendors flagged this skill as clean.