稻哲纪烤羊排

Security checks across malware telemetry and agentic risk

Overview

This restaurant customer-service skill is understandable, but its installers add daily background GitHub updates and can overwrite an existing skill directory without clear user control.

Review before installing. Prefer a manual, pinned install, remove or skip the cron/Scheduled Task auto-updater, back up any existing daozheji-grill skill directory first, and narrow activation triggers so the skill only responds when the user clearly means this restaurant.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (12)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The installer configures a persistent daily auto-update mechanism via a Windows scheduled task, which materially exceeds the expected capabilities of a restaurant-information customer-service skill. This creates ongoing code execution from a remote repository after installation, increasing supply-chain and persistence risk if the repository is later compromised or changed unexpectedly.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The script registers a recurring Windows scheduled task that runs PowerShell and performs git pulls daily, establishing persistence unrelated to the stated function of answering restaurant questions. For a simple customer-service skill, this capability is unjustified and dangerous because it enables recurring execution of remotely sourced code without further user interaction.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The installer silently adds a daily cron job to keep pulling code from a remote repository, creating persistence beyond a one-time skill install. For a restaurant-information skill, this behavior exceeds expected scope and introduces an ongoing code-execution path if the repository is later compromised or changed unexpectedly.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: Writing to the user's crontab gives the script persistence and the ability to re-execute network-fetched code regularly. In the context of a simple food-service customer support skill, that capability is unnecessary and materially increases risk because future repository changes can be pulled and executed without fresh user review.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The usage text encourages piping a remote script directly to bash but does not disclose that the script will persistently alter the user's scheduled tasks. This deprives users of informed consent and makes it easier for risky behavior to be executed without inspection, especially if the remote content changes over time.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill declares an automatic self-update mechanism using `git pull`, which introduces a code-supply-chain risk unrelated to a simple restaurant customer-service function. If the upstream repository, transport path, or referenced branch is compromised, the skill loader could fetch and run changed content without review, turning a low-risk informational skill into a delivery vector for malicious updates.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger list includes very generic food terms like '羊排' and '烧烤', which can cause the skill to activate during unrelated restaurant or cooking conversations. This creates unintended routing and response hijacking risk, where users seeking general food information may be answered as if they were asking specifically about this business.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger keywords include highly generic food terms like '羊排' and '烧烤', which can cause the skill to activate for unrelated restaurant or general food conversations. Over-broad activation can hijack user intent, route conversations to the wrong skill, and increase the chance of misleading business-specific answers being given outside the intended context.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The short-keyword table contains very common phrases such as '菜单', '推荐', '价', '多少钱', and '在哪', which are not unique to this restaurant and may trigger on ordinary conversation. In context, the skill is designed to answer with store-specific data, so accidental activation raises the risk of irrelevant or incorrect responses and poor containment of business-specific prompting.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The installer can delete an existing skill directory and also registers persistent execution without any in-script warning, confirmation, or explanation. Lack of transparency around destructive actions and persistence increases the chance of unintended data loss and leaves users unaware that the system will continue executing update logic after installation.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: If the target directory already exists and is not a git checkout, the installer deletes it recursively without asking for confirmation or creating a backup. This can destroy user data or locally customized skill content, turning installation into a destructive operation with little warning.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script modifies the user's crontab without a prominent warning before execution, creating persistence and an ongoing remote update channel. Silent scheduling is risky because users may not realize the software will continue changing after installation.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal