Security audit

Qa Regression Testing

Security checks across malware telemetry and agentic risk

Overview

This is a QA regression-testing guidance skill with read/search-only access and no evidence of hidden commands, data theft, persistence, or destructive behavior.

Install if you want Chinese-language help planning regression testing. Be aware it may activate on broad regression-testing phrases and can read/search project files when used, but the artifact does not request write, network, credential, or background authority.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The activation phrases are broad and overlap with ordinary QA discussion, which can cause the skill to trigger when a user is merely talking about regression concepts rather than requesting this workflow. In an agent system, over-broad routing can inject unintended instructions and change the assistant’s behavior in contexts where this skill was not meant to run.

Natural-Language Policy Violations

Medium

Confidence: 77% confidence
Finding: The skill content is written to operate in Chinese without stating that the locale is mandatory or giving a language-choice mechanism. This can cause user-intent mismatch, misinterpretation, or inaccessible behavior when invoked for users operating in other languages, which is a safety and reliability issue in multi-lingual agent environments.

Hidden Instructions

High

Category: Prompt Injection
Content: --- name: qa-regression-testing description: >- 回归测试策略，根据变更范围/风险等级/时间约束制定分级精准回归方案。当需要确定回归范围或优化回归效率时激活。
Confidence: 60% confidence
Finding: Hidden instructions were detected in comments or invisible text. These could contain malicious directives. Manual review is recommended.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal