胡田-OPC导师-合同风险审查

Security checks across malware telemetry and agentic risk

Overview

This appears to be a Chinese-language contract review helper with no evidence of hidden execution, credential use, persistence, or data exfiltration.

Install this only if you want Chinese-language contract review assistance. Treat its output as preliminary risk-spotting, not legal advice, and avoid pasting contracts that contain confidential, regulated, or third-party-sensitive information unless you are permitted to process them in your agent environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger conditions are very broad and overlap with many ordinary contract-related requests, which can cause the skill to activate in situations where the user did not explicitly ask for this specialized workflow. Over-broad activation increases the chance of inappropriate routing, unwanted prompt injection surface area, and user confusion about when the skill is being applied.

Natural-Language Policy Violations

Medium

Confidence: 81% confidence
Finding: The skill is written entirely in Chinese without documenting a locale restriction or offering a language fallback, which can cause misinterpretation by users or orchestrators operating in other languages. In a security-sensitive review workflow, language mismatch can lead to incorrect use of the skill, missed warnings, or misunderstood contractual guidance.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal