Back to skill

Security audit

ai-usage-collector

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only helper for turning user-provided WeChat AI-usage messages or screenshots into CSV, with privacy considerations but no hidden code or privileged behavior.

Install only if you are allowed to process the chat content. Provide the minimum relevant excerpts or screenshots, redact unrelated personal or confidential information, review extracted names and facts before sharing, and check CSV cells before pasting into Excel or Teams.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrase "帮我整理群消息" is broad enough to match ordinary requests about summarizing or organizing group chat content, which can invoke the skill outside its intended AI-usage-collection scope. In this skill's context, accidental activation is more concerning because the input may contain colleague names, screenshots, and other potentially sensitive workplace chat content, increasing the chance of unintended extraction and disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README encourages processing WeChat messages and screenshots containing colleague names and workplace activity without warning users about privacy, consent, confidentiality, or data-minimization concerns. Because the skill is specifically designed to collect employee AI-usage records, missing safeguards can lead to unauthorized handling of personal or sensitive business information and create compliance and internal privacy risks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill is designed to ingest WeChat group chat text and screenshots, which commonly contain personal data, internal business details, and other sensitive content, but it provides no warning, consent check, minimization guidance, or handling restrictions. This creates a real privacy and data-exposure risk because users may paste or upload broad conversation history and images for processing beyond what is necessary for the stated task.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.