日报和周报(daily-report and weekly-report)

Security checks across malware telemetry and agentic risk

Overview

This appears to be a repository report-generation skill whose broad project scanning is purpose-aligned, but users should scope it carefully before generating shareable reports.

Install only if you want an agent to create reports from repository contents. Before running it, specify the exact repo or paths to include, exclude secrets/private notes, and review generated reports before sharing them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases are broad enough that ordinary discussion of reports or progress updates could activate the skill and cause repository scanning and file generation without sufficiently explicit intent. In this context, accidental activation matters because the skill reads project contents, git history, and task files, which may expose sensitive internal information in generated output.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill performs broad repository reads and writes report artifacts, but the user-facing description does not prominently warn that source files, TODO comments, and task files will be scanned and summarized into new files. This can lead to unintentional disclosure of sensitive code comments, internal plans, credentials left in notes, or other confidential material in a shareable report.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal