Summary Budget Model And New Script

Security checks across malware telemetry and agentic risk

Overview

This skill is openly for updating budget and script knowledge, but it can persist chat-derived content into other installed skill files without a clear approval step.

Install only if you intentionally want an agent to update other budget/script skills from chat history. Require the agent to show the exact proposed changes and wait for explicit approval before writing, and avoid using it on conversations containing credentials, customer data, private business details, temporary experiments, or unreviewed code.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger phrases "【更新技能】" and "【记录新的脚本写法】" are broad enough that they could be invoked during ordinary discussion rather than an explicitly authorized persistence action. Because this skill writes to other skill files and logs, an accidental or prompt-injected trigger could cause unintended persistent modifications to trusted reference content.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The "何时使用" section relies on broad semantic conditions like discovering new scripts, fields, or business rules, without clearly separating discussion from execution. In a skill that harvests conversation history and persists updates, this ambiguity increases the chance of unwanted activation from normal conversation or adversarial prompt content.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to directly modify multiple files and logs, but it does not prominently warn that these are persistent write operations with lasting effects. That omission weakens informed consent and makes it easier for users or upstream prompts to trigger durable changes to reference files without realizing they are altering system knowledge.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The manifest description defines activation in very broad terms ('when the user issues a summary instruction'), which can cause the skill to trigger on ambiguous requests and process more conversation history than the user clearly intended. In a skill that extracts and updates other skills' data models and scripts, this creates a real prompt-scope and unintended-modification risk rather than a purely cosmetic documentation issue.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger phrase【总结对话内容】is broad enough to plausibly appear in ordinary conversation, which could cause the skill to activate unintentionally and begin extracting or modifying maintained skill content. In this skill’s context, unintended activation is more dangerous because the documented workflow explicitly includes updating other skill files and logs, turning a conversational phrase into a state-changing action.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The instructions tell the agent to review conversation history and update skill files and logs, but they do not require a user-facing warning, explicit consent, or confirmation before performing those modifications. This is dangerous because the skill can convert prior untrusted conversation content into persistent changes, creating a path for prompt-injection persistence or unauthorized configuration drift.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly instructs the agent to automatically update skill files, record logs, and create backups based on natural-language triggers, but it does not clearly warn that these actions persistently modify local files. In an agent setting, this can lead to unintended or unauthorized workspace changes if a user or prior conversation content triggers the workflow without clear confirmation boundaries.

Ssd 3

Medium

Confidence: 92% confidence
Finding: This section describes a workflow that persists summarized conversation content into skill reference files and logs automatically from broad trigger phrases. That behavior is dangerous because prompt-injected or untrusted conversation content may be treated as authoritative and written into persistent instructions or reference material, creating memory poisoning and durable propagation of unsafe content.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The examples normalize taking user-provided script snippets, table schemas, and operator identity from chat and storing them in persistent files. This increases risk because sensitive data, malicious code patterns, or fabricated data models can be laundered into trusted skill assets, where they may later influence agent behavior or expose personal information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal