Hutian Opc Business Plan

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned, with the main concern being that it should warn users before they upload sensitive business documents.

Before using this skill, avoid uploading confidential business plans, customer lists, credentials, trade secrets, unpublished financials, or personal data unless you are authorized and it is necessary. Prefer redacted summaries where possible. VirusTotal telemetry was clean, and no artifact-backed malicious or hidden behavior was identified.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly asks users to upload existing BP drafts, product documents, and project overviews but does not warn against sharing confidential business information, personal data, trade secrets, or regulated data. In a business-plan workflow, those documents commonly contain sensitive commercial, financial, contractual, and identity information, so the omission can lead to unnecessary disclosure to the model or connected tools.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal