Back to skill

Security audit

超能去AI

Security checks across malware telemetry and agentic risk

Overview

The rewriting skill is mostly coherent, but it ships an unrelated executable GitHub upload script that can publish package contents externally if run.

Review before installing. The rewriting behavior is expected for this skill, but avoid using it for factual, legal, academic, or compliance-sensitive text unless you verify every changed detail. Do not run upload-to-github.sh unless you intend to publish the skill directory to a GitHub repository and have inspected exactly what git add -A will include.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill’s stated purpose is text rewriting, but the analyzed behavior indicates hidden repository initialization, staging/committing files, remote configuration, and network pushes to GitHub. Undisclosed file-system and network side effects are dangerous because they can exfiltrate local content or modify user workspaces under the guise of harmless editing.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill promises to preserve facts and core meaning, yet it instructs the agent to add private details, ambiguity, decoy clues, character flaws, and other invented narrative material. This can silently introduce false information, distort provenance, and make outputs deceptively appear human-authored while no longer faithfully representing the source.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The documentation says not to change facts or meaning, but the hard constraints and procedure simultaneously require inserting content such as unused props, private memories, dead-end clues, and altered information structure. This contradiction is dangerous because it encourages outputs that misrepresent originals while claiming fidelity, which can corrupt reports, testimony, academic work, or other integrity-sensitive text.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script's functionality is to initialize a Git repository, stage all local files, create a commit, configure a remote, and push content to GitHub, which is unrelated to the stated purpose of a text-rewriting skill. This mismatch is dangerous because users evaluating or installing the skill may not expect external publication behavior, creating a risk of unintended source or data disclosure if the script is run in a directory containing sensitive material.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script includes capability to publish local contents to an external GitHub repository by setting a remote and executing 'git push -u origin'. In the context of a text-rewriting skill, outbound source-control publishing is unjustified and increases the chance of exfiltrating proprietary prompts, local files, or other sensitive content to a third-party service.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger phrases are broad, natural-language requests such as '帮我润色成人写的' and '这看着太AI了', which can easily overlap with ordinary user intent outside a narrowly scoped rewriting workflow. This can cause the skill to activate unexpectedly and steer unrelated conversations into concealment-oriented rewriting behavior, increasing misuse risk and reducing user control.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The README presents the skill entirely in Chinese and frames its outputs around a fixed Chinese-language style without indicating any user-selectable locale or language behavior. This can lead to unexpected activation or output mismatches for users in other languages, making the skill less predictable and more prone to being applied in the wrong context.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases include broad everyday expressions like '像人写的' and '帮我润色成人写的', which can match ordinary editing requests and activate the skill unintentionally. Overbroad activation is risky here because the skill performs aggressive structural rewriting and may materially alter content without the user knowingly opting into that behavior.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The file is entirely written as a Chinese-only role definition and the finding indicates the skill forces Chinese output without user language choice or opt-in. This can override a user's preferred language, reduce transparency, and create accessibility and usability issues, especially in multilingual environments where users may not understand the transformed output.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The role file is entirely written as prescriptive Chinese-only output guidance and does not indicate any user language preference handling or opt-in. This can override a user's requested language, reducing user control and creating prompt-quality and accessibility issues, though it is not directly a code-execution or data-exfiltration risk.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The skill content is entirely authored in Chinese and the metadata/trigger phrases indicate a Chinese-only interaction model, with no indication that users may choose another language or that the skill will adapt to the user's preferred language. This can cause unintended behavior, reduced transparency, and exclusion of users who interact in other languages, especially if the broader agent is expected to preserve user language or obtain consent before switching.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.