Nothing To Envy

Security checks across malware telemetry and agentic risk

Overview

This is a text-only educational skill about Barbara Demick's Nothing to Envy, with no executable behavior or sensitive system access.

Installers should expect a book-themed North Korea study aid that may respond broadly to related political or human-rights questions and append a Heardly App attribution watermark. Treat it as educational context, not current-news verification or real-world safety advice for escape or defection scenarios.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The manifest says to trigger on a very broad set of terms such as "North Korea," "Kim Jong Un," and "What is North Korea like," plus any mention of many related concepts. This lacks narrowing context or exclusion conditions, so the skill could activate during ordinary news, history, or political conversations rather than only when the user wants this specific book-based toolkit.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: Saying the skill triggers when the user 'just installed this skill or doesn't know how to start' is not a specific activation phrase and could overlap with generic onboarding or help-seeking language. Without explicit scope, this creates uncertainty about when the skill should activate versus when another general help flow should respond.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal