钟馗.Skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed security-auditing skill with an optional rule-update feature; review that feature carefully, but the artifacts do not show hidden theft, destruction, or deception.

Install only if you want a local skill-auditing tool. Use normal review commands freely, but treat `--update --apply` as a rule-database change: prefer dry-run or interactive confirmation, review generated changes when possible, and avoid relying on the scanner as a security guarantee.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (6)

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The metadata explicitly states that the regex fragments are split so individual pieces do not contain recognizable attack keywords and are later reassembled with join()+re.compile(). That is a deliberate obfuscation mechanism which can hinder upstream scanning, review, and policy enforcement even if the resulting signatures are intended for defensive detection.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The document describes a security-audit skill that can continuously ingest external threat intelligence and modify its own local detection/signature base through update and publish workflows. That is a real trust-boundary expansion: a user invoking a skill audit would not reasonably expect the skill’s detection logic to be rewritten based on external feeds, especially when key safeguards like regression validation and weight calibration are explicitly incomplete.

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: The documented ingestion of NVD, Snyk, and Seebug feeds and subsequent rewriting of local detection data is broader than necessary for a user-invoked security review skill. This increases attack surface through external content dependency, feed poisoning risk, and unintended behavior drift in the analyzer, particularly because the pipeline converts external text into detection patterns.

Intent-Code Divergence

Low

Confidence: 72% confidence
Finding: The file states that update and publish capabilities are already implemented while also acknowledging that important safety controls such as regression validation and weight calibration are not yet implemented. This mismatch can cause operators to trust and run update workflows that are not sufficiently safeguarded, increasing the chance of corrupted or low-quality rule updates entering production.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases include broad everyday language such as '查一下这个skill' and '审一下', which increases the chance of accidental invocation in unrelated conversations. Unintended activation is risky here because the skill can lead to file inspection, shell-oriented workflows, and optional network update actions.

Ssd 2

High

Confidence: 94% confidence
Finding: The file is intentionally structured to fragment known risky phrases so they evade naive keyword inspection while remaining reconstructable at runtime. In a security-review skill, this makes the rule base harder to audit and opens room for concealed malicious or policy-violating patterns to be smuggled into updates.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal