Back to skill

Security audit

Publish

Security checks across malware telemetry and agentic risk

Overview

This appears to be a low-risk Chinese personality quiz skill, with usability and activation-scope caveats rather than evidence of malicious behavior.

Install if you want a Chinese-language personality quiz and are comfortable with it tracking your quiz progress or answers. Prefer explicit invocation, and avoid sharing sensitive personal details in quiz responses unless you are comfortable with the host agent retaining them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
69% confidence
Finding
The skill declares itself broadly applicable ('任何AI平台均可运行,装上就能测') without clear trigger constraints, scope boundaries, or invocation conditions. In agent ecosystems, overly broad invocation can cause irrelevant auto-activation, user confusion, or unintended interception of unrelated conversations, though this particular skill is low-risk because it is an entertainment quiz with no privileged actions or external integrations.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The skill hardcodes all prompts, UI text, and control flows in Chinese with no language negotiation or fallback. This can exclude or mislead users who do not read Chinese, causing consent, comprehension, and usability issues, especially where the skill expects users to follow precise response formats.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The binding matches any interaction on the default channel, which can cause the skill to activate far more broadly than intended. In a quiz-style skill that tracks detailed per-user personality-test state, overly broad activation increases the chance of unsolicited interception, accidental triggering, and unnecessary collection or mutation of user state.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.