淘股吧A股市场复盘

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed helper for signing into Taoguba if needed, collecting recommended posts, and summarizing them.

Install only if you are comfortable letting an agent use Taoguba credentials you provide to log in and fetch posts. Prefer a dedicated or low-risk account, avoid reusing important passwords, and remove the environment variables after use if you do not want future runs to log in automatically.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to use environment-stored credentials to log into a third-party site, but it does not adequately warn about the risks of transmitting credentials to an external service, session leakage, or accidental exposure through tooling, screenshots, logs, or browser state. In this context, the agent is explicitly automating login to a non-first-party website, which increases the chance of credential misuse or unintended disclosure if the environment or browser tooling is not tightly controlled.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal