Security audit

Ai Company Cqo 2.0.0

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed AI quality-governance skill with a local checker tool; the main risks are broad activation, reasoning disclosure, and a report file write, not hidden or malicious behavior.

Install this only if you want a Chinese-oriented AI quality-governance workflow. Use explicit prompts to limit activation and language, avoid sharing sensitive project data with subagent/session workflows unless acceptable, and run the bundled checker only on intended skill directories because it writes a report file there.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The checker writes 'quality-gate-report.md' into the inspected skill directory even though it presents itself as a checker/scanner. In security workflows, unexpected mutation of scanned content can taint repositories, alter evidence, trigger automation, or overwrite existing files, especially when the target path is supplied by the user.

Intent-Code Divergence

High

Confidence: 92% confidence
Finding: The generated report labels success based on 'self.score >= 80', but the actual process exit/pass condition is 'len(self.results['failed']) == 0'. This mismatch can cause a report to say 'passed' while the tool exits as failed, or vice versa, which is dangerous in CI/CD and governance contexts because users or automation may trust the wrong status and approve unsafe content.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger list contains broad common terms such as `质量`, `质检`, `PDCA`, and `品质`, which can cause the skill to activate in many unrelated conversations. In an agent environment, unintended activation can inject rigid governance instructions into normal workflows, override user expectations, or expose internal process behavior where the user did not request this skill.

Natural-Language Policy Violations

Medium

Confidence: 87% confidence
Finding: The skill description and surrounding design strongly center Chinese-language and Chinese-standardized terminology without indicating a user-selectable language mode. This can cause unexpected behavior, reduce transparency for users operating in other languages, and create prompt-level misalignment when the skill is auto-invoked.

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: The constraints require a fixed output style and terminology regime and do not offer the user a language or presentation choice. When combined with broad triggers, this can force responses into an unexpected format, reducing user control and potentially causing policy or compliance text to be injected into unrelated tasks.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger conditions are broad enough to activate in common review, CI/CD, or compliance-check contexts without clear scoping boundaries. In an agent environment, over-broad activation can cause the skill to run unexpectedly, inspect unintended targets, or influence workflows outside the user's precise intent, which is a real safety and security concern even without obviously malicious behavior.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill states that it will generate a `quality-gate-report.md` file but does not clearly warn users up front that it performs a filesystem write. Undisclosed write behavior is dangerous because it can modify repositories, pollute working directories, or interfere with automated pipelines and audit trails, especially in CI/CD contexts where side effects should be explicit and controlled.

Missing User Warnings

Low

Confidence: 83% confidence
Finding: The tool writes a report file into the target directory without prior warning or confirmation. Although the impact is limited, silent writes are undesirable in security and quality tooling because they can surprise users, modify working trees, and interfere with downstream processes that assume scans are non-destructive.

Ssd 3

Medium

Confidence: 98% confidence
Finding: The instruction `输出需保留推理过程` explicitly requires exposing the model's reasoning in outputs. Revealing chain-of-thought or detailed intermediate analysis can leak sensitive user data, internal heuristics, and security-relevant deliberation, especially in a quality/governance skill that may process defect reports, audit data, and cross-agent decisions.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal