S.H.I.T底刊摘要

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do purpose-aligned website scraping and analysis, with no evidence of hidden persistence, credential use, or destructive behavior.

Before installing, confirm you are comfortable with the skill accessing the target website and potentially sending scraped page content to an AI service for analysis. Avoid using it on private, confidential, or consent-sensitive pages unless the data-sharing path is clear.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The skill explicitly describes automated website scraping and AI-based analysis but does not warn users that it will make external network requests and may transmit scraped content to an LLM service. This can create unexpected data exposure, policy, and consent issues, especially in environments where outbound access or third-party data sharing must be disclosed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal