Pangolin Safe Yield

Security checks across malware telemetry and agentic risk

Overview

This is a single-file investment-analysis skill that provides advisory research guidance, not code execution or account access.

Install only if you want a Chinese-oriented investment analysis framework. Treat outputs as research prompts, not personalized financial advice, and verify data, market, locale, and risk assumptions before making any investment decision.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger list contains broad phrases such as '投资分析', '仓位分配', '全面诊断', 'Pangolin', and 'SafeYield' that are likely to match ordinary financial conversations. This can cause accidental invocation of the skill in unrelated contexts, leading to unsolicited investment guidance and increasing the chance that users receive high-impact financial recommendations they did not explicitly request.

Natural-Language Policy Violations

Medium

Confidence: 82% confidence
Finding: The skill metadata and content are strongly oriented toward a Chinese-language and China-market context without explicit user opt-in, including Chinese triggers and market-specific workflows. This can misalign the skill's assumptions with the user's locale or market intent, causing confusing activation or inappropriate financial analysis, though it is not a direct system-compromise vector.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal