Vague Triggers
Medium
- Confidence
- 94% confidence
- Finding
- 该技能声明当用户请求“任何视觉输出”时自动激活,并要求默认介入产出流程。这种触发范围与大量普通任务重叠,容易在用户未明确请求该技能时被隐式注入额外行为,造成结果偏移、资源消耗增加或与更高优先级指令冲突。
my-test-skill
Security checks across malware telemetry and agentic risk
Overview
This is an instruction-only visual design skill that may broadly polish visual outputs, but it does not request code execution, credentials, persistence, or sensitive access.
Install this if you want the agent to consistently apply design-polish guidance to visual work. Be aware it may make visual outputs more styled or refined by default, including simple HTML or UI requests, so users who prefer minimal or strictly functional output may want to disable it for those tasks.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)
Vague Triggers
Medium
- Confidence
- 92% confidence
- Finding
- 触发模式不仅包含宽泛示例,还使用了“任何对 HTML 产物、带 UI 的 React 组件或视觉文档的请求”这类模糊兜底描述,缺少边界与排除条件。这样会显著扩大匹配面,使技能在开发、文档、数据展示等常见请求中意外生效,增加越权影响输出风格和任务执行路径的风险。
VirusTotal
62/62 vendors flagged this skill as clean.