UCloud_indeustry_trend

Security checks across malware telemetry and agentic risk

Overview

This is a research-only industry trend skill with no executable code, persistence, credential access, or destructive behavior.

This skill appears safe to install as an instruction-only market research helper. Users should expect it to browse external public sources and produce Chinese-formatted industry briefs by default; ask for another language if needed. The broad marketplace capability tags should be cleaned up by the publisher if they are user-visible or permission-bearing, because the artifact itself does not need purchase or crypto authority.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: The skill hard-codes the Chinese term `重点团队` as required output terminology without any user language preference or localization mechanism. This can override user expectations, reduce usability, and create prompt-scope leakage where the skill imposes presentation constraints unrelated to the user's request.

Natural-Language Policy Violations

Medium

Confidence: 98% confidence
Finding: The output section requires fixed Chinese headings and Chinese fallback messages, with no option to adapt to user language. This is a real prompt-quality and control issue because the skill can force non-user-requested language into responses, causing inconsistent UX and making downstream composition with other skills harder.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal