Back to skill

Security audit

Team Weekly Report Generator

Security checks across malware telemetry and agentic risk

Overview

This is a coherent weekly-report helper that stores user-provided team report data locally for later summaries, with privacy considerations but no deceptive or unrelated behavior found.

Install only if you are comfortable with weekly report contents, including names, work details, plans, and hours, being saved locally in memory/weekly-reports. Use explicit weekly-report prompts when generating summaries, and delete old JSON files when retention or privacy requirements call for it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases for starting report generation are overly broad, especially generic commands like “汇总”, “整理”, and “生成周报”, which can cause the skill to activate outside the intended context. In a system that reads and writes persisted weekly report data, unintended activation may expose, modify, or summarize sensitive team information without clear user intent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly persists uploaded team report contents to disk under `memory/weekly-reports/` but does not disclose this to users or obtain consent. Because weekly reports may contain employee names, work details, plans, and time allocations, silent retention increases privacy, confidentiality, and compliance risk if users assume the data is only processed transiently.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.