Back to skill

Security audit

Epic Leek Daily

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed A-share investment note generator that reads market and knowledge-base data, writes a local Markdown note, and optionally syncs it to an IMA knowledge base.

Install only if you want daily investment notes saved to the listed local path and synced into the named IMA knowledge base. Before first use, confirm the path, IMA connector, and target folder are yours, and prefer invoking it with the explicit skill name to avoid accidental note generation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases include broad, common language such as '做个今日笔记' and '生成投研笔记', which can cause the skill to activate in ordinary conversation without clear user intent. Because this skill performs data-affecting actions like generating files and syncing to a knowledge base, accidental invocation increases the chance of unintended side effects and disclosure of user content into external systems.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly directs writing a local file to a fixed path and synchronizing the generated content into an external knowledge base, but does not require an explicit user warning or consent at the point of action. This is dangerous because it can persist potentially sensitive financial notes to disk and export them to another system without informed approval, creating privacy, integrity, and unintended data-sharing risks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.