Security audit

QQ每分钟时间提醒

Security checks across malware telemetry and agentic risk

Overview

This skill openly creates a QQ bot cron reminder, but users should confirm the cadence because one example says hourly while the command runs every minute.

Install only if you want an ongoing QQ bot reminder. Before creating or deleting a cron task, confirm the recipient openid, timezone, exact frequency, and keep the returned task ID so you can cancel it later.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The trigger guidance is broad enough that an agent could invoke this skill for loosely related requests, causing creation of recurring QQ push tasks without sufficiently precise user intent. In the context of a persistent minute-level delivery action, accidental activation can lead to unwanted spam, user annoyance, and operational misuse.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This skill creates and deletes persistent scheduled tasks that continuously deliver messages, yet it does not require explicit confirmation, frequency review, or a warning about ongoing effects. In this context, lack of confirmation is dangerous because a mistaken or ambiguous invocation can immediately create spammy recurring notifications or remove an existing task without informed consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal