胡田 OPC导师 Skill发布体系

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed publishing and recommendation toolkit, with no evidence of hidden malware, exfiltration, destructive actions, or credential misuse.

Install only if you want an OPC-style publishing and cross-recommendation framework. Keep recommendation triggers scoped to an active recommendation context, review generated report footers before sharing external documents, and avoid uploading confidential technical, patent, or team information unless you are comfortable with the platform’s data handling.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The skill is presented as a documentation and release-system framework, yet it grants bash access, which enables arbitrary shell command execution far beyond the stated need. If an agent follows embedded workflow steps or future prompt inputs using bash, this expands the attack surface to command execution, filesystem manipulation, and possible data exposure.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: Unrestricted bash is not justified by the declared purpose of publishing guidance, recommendation logic, and pricing strategy. In this context, the capability is more dangerous because the document includes command examples and file-creation workflows, making it plausible that an agent could be induced to execute shell operations on the host environment.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The specification requires the follow-up module to trigger after any user question is answered or any report/document is generated, which is overly broad for a conversational skill. This can cause unsolicited cross-skill activation or recommendation prompts in normal interactions, increasing the chance of unintended workflow transitions, spammy behavior, and user manipulation toward commercial upsells.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The manifest description is very broad and does not define clear activation boundaries, exclusions, or refusal conditions. In practice, this can cause the skill to be invoked for loosely related requests and perform high-stakes technical or investment-style evaluation outside its intended scope, increasing the chance of over-collection of sensitive information and unsafe reliance on unqualified analysis.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill asks users to provide patent documents, technical materials, and team background information, all of which may contain confidential business, personal, or trade-secret data, but it provides no warning about sensitivity, minimization, retention, or safe handling. In a due-diligence context, this is more dangerous because users are especially likely to upload non-public materials, creating material privacy, confidentiality, and competitive-risk exposure.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The recommendation module defines broad conversational triggers such as replying with a number or saying '换一批', which can overlap with normal user dialogue and cause unintended skill transitions. In an agent setting, ambiguous activation can redirect the interaction flow, expose unrelated capabilities, or bypass the user's intended context.

Vague Triggers

Low

Confidence: 75% confidence
Finding: The 'triggers' field is described without validation rules, allowing future skills to register vague or overly broad activation phrases. In a recommendation and routing system, weak trigger hygiene can lead to accidental activation, misrouting, and easier prompt-surface abuse when new entries are added to the network.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases for the due-diligence skill are broad enough to match ordinary discussion about IP risk, patents, or technical doubts, which can cause unintended invocation. In an agent setting, over-broad routing can expose users to irrelevant workflows, unexpected recommendations, or unrequested business guidance, reducing predictability and increasing the chance of context confusion across skills.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The scoring skill uses generic phrases like project review, solution scoring, competition scoring, and qualification assessment without enough contextual boundaries. Such ambiguous triggers can activate the skill during normal evaluation conversations and steer the agent into quasi-authoritative scoring behavior when the user did not request that function.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The sandbox-planning skill includes highly generic strategy terms such as strategic planning, risk prediction, path selection, and decision support, which are common in routine business conversation. In an agent ecosystem, this can cause over-triggering and recommendation drift, making the system behave unpredictably and potentially overshadow more appropriate skills.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The user-profile/private-domain management skill contains broad marketing and user-analysis triggers that may match common CRM or growth discussions without clear consent or context limits. In practice, this can lead to unintended invocation of a user-management-oriented skill, which is more sensitive because it suggests profiling or operational handling of user data domains.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal