Security audit

MVP Builder

Security checks across malware telemetry and agentic risk

Overview

This appears to be a Chinese-language MVP planning advice skill with no evidence of code execution, data access, persistence, or hidden behavior.

Install this if you want Chinese-language guidance for narrowing an MVP and planning a quick launch. Consider tightening the activation phrases or adding language-selection instructions if the skill will be used in multilingual workspaces.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger keywords and read conditions include broad phrases such as '先做什么' and '怎么快速上线', which can match many ordinary product-related conversations and cause unintended skill activation. While not directly enabling code execution or data exfiltration, over-triggering can override more relevant guidance, reduce system reliability, and increase the chance of users receiving mismatched advice.

Natural-Language Policy Violations

Medium

Confidence: 80% confidence
Finding: The skill metadata and content are written only in Chinese and do not indicate any user-language negotiation, fallback behavior, or multilingual support. This can cause the skill to respond in a language the user did not request, creating confusion, incorrect task execution, or missed safety-critical details if the user cannot fully understand the output.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.