Daozheji Grill Skill

Security checks across malware telemetry and agentic risk

Overview

This restaurant support skill is mostly coherent, but its installers create automatic background updates and can overwrite existing local files without clear opt-in.

Review the installer before use. Prefer manual installation or remove the cron/Scheduled Task auto-update lines, and back up any existing daozheji-grill skill directory before replacing it. The core restaurant reference files look purpose-aligned, and VirusTotal/static scan did not add malicious evidence, but the automatic updater and overwrite behavior make this a Review install rather than a clean benign one.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (10)

Intent-Code Divergence

Low

Confidence: 99% confidence
Finding: The file contains unresolved Git merge-conflict markers in the YAML front matter, which can break parsing of the skill manifest or cause inconsistent interpretation of metadata such as the homepage field. In an agent-skill context, malformed manifests can prevent reliable loading, create undefined behavior across tooling, and undermine trust in which version of the skill is actually being deployed.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The installer creates a persistent scheduled task that runs daily and performs network-based code updates via git pull. Persistence is security-sensitive because it establishes ongoing code execution after installation, and in this skill context there is no clear operational need disclosed to the user that would justify automatic background execution.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The script advertises itself as a one-line installer but silently establishes a recurring cron job that persistently updates code from a remote repository. This creates ongoing code execution and supply-chain exposure after the initial install, especially because future repository changes will be pulled automatically without user review.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger list includes generic food terms such as '羊排' and '烧烤', which are broad enough to match many unrelated restaurant or food conversations. This can cause unintended activation, leading the agent to respond in the wrong context, confuse users, or expose restaurant-specific content when it was not requested.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger description includes generic food-related keywords such as '羊排', '猪蹄', and '烧烤', which are broad enough to activate the skill outside the specific '稻哲纪' restaurant context. This can cause the agent to inappropriately assume brand-specific business facts and answer using restaurant reference files for unrelated user queries, leading to misleading responses and accidental prompt hijacking of general food conversations.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The short-keyword trigger table uses ambiguous everyday phrases like '菜单', '推荐', '多少钱', and '在哪', which commonly appear in unrelated conversations. In a conversational agent, such loose triggers can cause unintended skill activation and push the model into a branded sales persona, increasing the chance of irrelevant, misleading, or privacy-intrusive responses when the user was not asking about this restaurant.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The usage instruction explicitly tells users to pipe a remotely fetched script from the internet directly into iex, which executes unreviewed code immediately. This is dangerous because any compromise of the source, repository, account, or network path can lead to arbitrary code execution on the user's machine.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script forcefully deletes any existing skill directory and replaces it without confirmation, backup, or validation of what is being removed. This can destroy local modifications or data and, if path variables are manipulated or misconfigured, could result in unintended file deletion within the user's profile or configured skills directory.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The installer silently configures a persistent scheduled task for automatic updates without prominently warning the user before making that system change. This is risky because it creates an ongoing execution mechanism that regularly reaches out to a remote repository, expanding the attack surface and reducing user awareness and control.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script forcefully deletes an existing target directory with rm -rf when it is not a git checkout, without confirmation or backup. This can destroy user data or locally modified content if the path already contains important files, and the one-click install context makes accidental loss more likely.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal