Security audit

hotspot-writer

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed public-trend research and copywriting helper, with expected network use and local draft archiving but no executable code or hidden high-impact behavior.

Install this only if you want a Chinese-platform trend monitoring and copywriting assistant. Use explicit prompts, set time limits for monitoring, review what it saves under hotspot-archive, and verify generated facts and wording before publishing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill description contains very broad trigger phrases such as '蹭热点、写热点、追热点、写文案', which are common everyday requests and can cause the skill to be invoked unintentionally in unrelated contexts. Because this skill performs network access and content generation, accidental invocation could lead to unexpected external requests or content handling beyond the user's intent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The markdown describes automatic archival of fetched trends and generated articles to local files, but it does not clearly warn users that the skill writes data to disk. Silent or unclear file-writing behavior is risky because it can persist potentially sensitive prompts, generated content, or browsing-derived data without explicit user awareness or consent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal