Security audit

Qa Tech Debt Management

Security checks across malware telemetry and agentic risk

Overview

This is a Chinese QA technical-debt planning skill with no executable payload or hidden behavior, though its broad triggers may activate it more often than expected.

Install this if you want a Chinese-language framework for managing QA and test automation technical debt. Be aware that it declares Bash access and uses broad activation terms, so users may want to invoke it explicitly or narrow triggers if accidental activation would be disruptive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The skill’s trigger conditions are broad generic terms like '重构', '维护成本', and '技术债务', which can match many ordinary software discussions and cause unintended activation. Over-broad auto-triggering can route unrelated user conversations into this skill, leading to inappropriate guidance, context pollution, and reduced reliability of the agent’s skill-selection behavior.

Natural-Language Policy Violations

Medium

Confidence: 84% confidence
Finding: The skill metadata and usage conditions are written to operate in Chinese without indicating any language negotiation or fallback behavior. If auto-selected for users interacting in another language, it may produce mismatched outputs, misunderstand user intent, or reduce transparency and usability, which can indirectly affect safe and correct task handling.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal