HV Analysis 横纵分析法

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only deep research workflow whose web searching is expected and disclosed for the report-writing purpose.

Install this only for deliberate deep research. Treat research targets, motivations, and focus areas as information that may be sent to online search providers or tool contexts, and separately inspect any external GitHub files or PDF conversion scripts before running them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The skill is described for broadly researching almost any product, company, concept, technology, or person, with no clear activation boundaries or exclusions. In an agent environment, this can cause the skill to trigger in situations where the user did not explicitly consent to a deep, networked investigation, increasing the chance of unnecessary data access, scope creep, or inappropriate use on sensitive subjects.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill states that it 'must' perform online searching and use parallel sub-agents, but it does not clearly warn the user in the skill description or activation contract that external network access is mandatory. This can lead to undisclosed transmission of user queries or research targets to external services, which is especially risky when the subject is sensitive, proprietary, or personally identifiable.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal