Back to skill

Security audit

Bank Regulatory Reporting

Security checks across malware telemetry and agentic risk

Overview

This is a text-only banking report drafting skill with sensitive-data caveats but no executable code, hidden access, or persistence.

Install only for Chinese banking regulatory report drafting. Do not paste raw customer identifiers, transaction-level records, suspicious activity details, or supervisory materials unless your organization approves that AI workflow; minimize or redact inputs and have authorized compliance staff verify outputs before any filing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly markets generation of AML, regulatory, and compliance reports from raw banking data, which strongly implies handling highly sensitive customer, transaction, and supervisory information. Without any warning, data-handling constraints, privacy controls, or guidance on secure processing, users may expose regulated financial data to an AI workflow in ways that create confidentiality, compliance, and data-sovereignty risks.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger list contains broad terms such as '合规报告', '统计报告', and '数据报送' that can match ordinary banking or compliance discussions instead of an intentional invocation of this specific skill. In an agent environment, overly generic triggers can cause the skill to activate unexpectedly, pulling sensitive regulatory-reporting workflows into unrelated conversations and increasing the risk of inappropriate guidance or data handling.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad enough to activate this skill for generic banking compliance and reporting requests, not just narrowly scoped regulatory-reporting tasks. In a sensitive financial context, overbroad routing can cause the wrong skill to handle user inputs, increasing the risk of inaccurate regulatory guidance, inappropriate data handling, or unintended access to sensitive workflows.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.