Security audit

Qa Stakeholder Communication

Security checks across malware telemetry and agentic risk

Overview

This is a simple Chinese QA communication-template skill with no executable code, persistence, network use, or data-changing behavior.

Install this if you want Chinese-language templates for QA stakeholder communication. Review output when your prompt is only generally about communication, and specify your preferred language if you do not want Chinese responses.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The activation condition uses broad natural-language triggers like “怎么沟通”, “跟开发说”, and “跟PM说”, which can match ordinary conversation and cause the skill to activate unintentionally. This can lead to prompt-routing errors, incorrect role-specific formatting, or unwanted language/style overrides, especially in multi-skill systems where precise invocation boundaries matter.

Natural-Language Policy Violations

Medium

Confidence: 87% confidence
Finding: The skill metadata and content are entirely in Chinese and define output formats in Chinese without indicating language negotiation or preserving the user’s preferred language. In practice, this can override user expectations, reduce usability, and create unsafe misunderstandings if bug severity, release risk, or stakeholder communications are rendered in a language the user did not request.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal