🐢 Flicker - ASCII 宠物伙伴

Security checks across malware telemetry and agentic risk

Overview

This is a playful ASCII pet skill with scoped local state and no evidence of credential access, network activity, destructive behavior, or deception.

Install it if you are comfortable with a conversational pet that may appear when broad trigger words are used and that keeps a small local pet state file. Use explicit commands like `/buddy` and `/stats` if you want fewer accidental activations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrases include very common language such as 'buddy', '我的宠物', and 'Flicker', which can cause accidental invocation during normal conversation. Because the skill can then read/write pet state and invoke `exec` to run `node {baseDir}/scripts/generate.js`, unintended activation could lead to unwanted tool use, state changes, or disruptive responses without clear user intent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal