CORE Prism (CORE 四维战略透镜)

Security checks across malware telemetry and agentic risk

Overview

The skill appears to disclose a purpose-aligned use of local user profile context, with no evidence here of hidden execution, exfiltration, or persistence.

Install only if you are comfortable with the skill using USER.md to personalize responses. Keep secrets, credentials, and highly sensitive personal details out of USER.md unless you intentionally want skills to use that context.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README explicitly states that the skill reads `USER.md` to adapt output, but it does not disclose scope limits, consent expectations, or any safeguards around what personal or sensitive data may be consumed. In an agent environment, implicit file access to user-context documents can lead to privacy violations, over-collection of data, and unintended propagation of sensitive information into prompts or downstream outputs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal