Work Buddy 中文版

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Chinese work companion skill that may make the assistant more proactive, but it does not install code or request sensitive access.

Install this if you want the assistant to behave like a brief, proactive Chinese work companion. Keep it limited to reminders, summaries, and low-impact follow-ups, and require explicit confirmation before file edits, account actions, public posts, or sensitive decisions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The skill description uses very broad activation language such as work companionship, brief check-ins, and natural follow-ups, which could cause it to trigger in many ordinary workplace conversations without clear user intent. That creates a scope-control problem: the assistant may become proactively intrusive or apply behavioral overrides in contexts where the user did not explicitly request this mode.

Natural-Language Policy Violations

Medium

Confidence: 80% confidence
Finding: The skill is written to enforce Chinese-language behavior by default and does not indicate that the user can choose another language. While not directly a security flaw, this can override user preference unexpectedly and increase the chance of inappropriate activation or degraded interaction quality in multilingual contexts.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal