Overseas Investment Compliance

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed overseas-investment compliance guide with no hidden code, external transmission, persistence, or privileged actions.

Use this as a planning aid, not legal advice. Share only the investment details needed for the question, narrow ambiguous requests to cross-border investment, and verify current rules with counsel or official sources before acting; the referenced State Council Order No. 837 is an official outbound-investment rule scheduled to take effect on July 1, 2026. ([mee.gov.cn](https://www.mee.gov.cn/zcwj/gwywj/202606/t20260602_1157822.shtml?utm_source=openai))

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger table includes broad phrases such as “我这个投资合规吗”, “能投吗”, and “合规路径是什么”, which can match many general legal, business, or policy questions and cause the skill to activate outside its intended overseas-investment scope. In a compliance skill, unintended activation is risky because users may receive specialized cross-border regulatory guidance when they were actually asking about a different domain, increasing the chance of misleading or overconfident advice.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal