投后管理报告自动更新

Security checks across malware telemetry and agentic risk

Overview

This skill locally processes user-provided financial spreadsheets and Word documents to create an updated investment report, with no evidence of hidden access or data exfiltration.

Install dependencies from trusted package sources, provide only the intended financial statements, interview notes, and prior report, and use a new explicit output filename. Because the documents may contain confidential business data, review where any industry analysis is performed and check the generated report for accuracy and sensitive details before sharing.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill clearly instructs the agent to read user-supplied Excel and DOCX files and to write a new DOCX report, yet no explicit permissions are declared. This creates a governance gap: reviewers and runtime policy may underestimate the skill's access needs, making unintended file access or writes harder to control and audit.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The skill workflow generates a new report file from user documents and could overwrite or create files, but the description does not prominently warn about this side effect. That omission increases the chance of accidental data loss, confusing user expectations, or unsafe automation where the agent writes to paths the user did not intend.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal