各地方言 Map

Security checks across malware telemetry and agentic risk

Overview

This is a local Chinese dialect lookup skill with disclosed database setup and minor privacy/data-reset caveats, not evidence of malware.

Install only if you are comfortable with a local dialect database being created or reset. Review contacts.json before use, remove any contact entries you do not need, and do not run the auxiliary import scripts unless you understand their hardcoded paths and database mutations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Natural-Language Policy Violations

Medium

Confidence: 88% confidence
Finding: The skill states that the agent will automatically use a contact's dialect preference from contacts.json, but it does not mention user awareness, consent, or an opt-in mechanism. This creates a privacy and autonomy risk because contact-linked preference data may be used to alter interactions implicitly, and could expose or infer sensitive personal/cultural attributes without the current user’s explicit choice.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: `DROP TABLE IF EXISTS dialect_map;` is destructive and will erase any existing table with that name before recreating it. If this initializer is run against a non-isolated or reused SQLite database, it can cause unintended data loss and service disruption, especially because there is no guardrail, environment check, or explicit warning.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal