Back to skill

Security audit

Tencent Yuanbao Gaokao - Regional Passing Scores

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward Gaokao score-line lookup tool that runs a local helper and queries Tencent’s public Gaokao data endpoint.

Install this if you want a GaoKao regional score-line lookup assistant. Avoid putting unnecessary personal information in prompts, because the helper contacts Tencent’s Gaokao endpoint with the lookup filters you provide. The main practical caveat is that the trigger phrase is broad, so it may activate on some unrelated score-line queries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The file defines a single trigger phrase, "分数线", that is very broad for a retrieval skill and can match many unrelated user queries discussing score lines in general. This can cause accidental invocation or routing to the wrong skill, which may produce irrelevant results, interfere with other skills, or expose data/actions not intended for that context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.