Back to skill

Security audit

Universal Utility Toolkit - 全能实用工具包

Security checks across malware telemetry and agentic risk

Overview

This appears to be a benign local developer utility toolkit, with broad wording and a few overstated features but no hidden or high-impact behavior found.

Install only if you want a general-purpose local utility toolkit. Treat currency conversion as approximate because rates are hardcoded, and verify any separately installed npm package name before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The manifest description says to invoke the skill for broadly defined needs like 'utility tools' and 'any common development utilities,' which can match a very large fraction of ordinary user requests. Over-broad routing increases the chance the wrong skill is auto-selected, causing unnecessary exposure to its capabilities and creating confusion or unsafe tool use when a narrower skill should handle the request.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The package description and keywords define an extremely broad, catch-all utility skill without clear boundaries on when it should be invoked. In agent ecosystems, overly broad trigger scope can cause the skill to be selected for unrelated tasks, increasing the chance it processes sensitive user data or bypasses more specialized, safer skills.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.