weekly-report-writer

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple Chinese weekly-report drafting helper with no code execution, file access, credential access, persistence, or hidden behavior.

Safe to install for drafting Chinese weekly reports. Review generated reports before sending, especially for confidential work details, factual accuracy, and whether you want Chinese or another language.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger definition is overly broad because it auto-activates on generic phrases like '本周总结', '工作复盘', and '给老板汇报', which can appear in contexts other than weekly-report writing. This can cause inappropriate skill invocation, leading the agent to steer conversations into structured report generation when the user may have intended a different task, increasing the risk of prompt hijacking via unintended routing or user-confusing behavior.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The usage conditions are ambiguous because they include broad scenarios like syncing progress to a manager without clear limits. In an agentic system, vague activation boundaries can cause the skill to capture unrelated managerial communication tasks, producing incorrect outputs or bypassing more appropriate skills, which is a security and reliability concern when routing is instruction-driven.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal