Vague Triggers
Medium
- Confidence
- 93% confidence
- Finding
- 该技能将触发条件定义为“任何创造性工作之前必须使用”,范围极其宽泛,容易在与用户目标无关或不必要的场景中被自动调用。这样的前置强制会扩大技能影响面,导致工作流被劫持到该技能、增加不必要的文件读取/项目探查/后续子技能调用机会,从而带来策略偏离、越权式上下文收集或资源滥用风险。
头脑超级风暴1
Security checks across malware telemetry and agentic risk
Overview
This is a transparent brainstorming and design-planning skill, with no executable code or hidden data handling, but users should know it can read project context and may create a local design commit.
Install this if you want a structured design-first workflow. Before using it in an active repository, make sure your agent asks before reading broad project context, writing docs/plans files, or creating git commits; the artifact does not show exfiltration, destructive actions, credential use, or hidden execution.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)
Natural-Language Policy Violations
Medium
- Confidence
- 81% confidence
- Finding
- 技能全文以中文强制表述,且未说明可根据用户语言偏好切换,这会导致语言/locale 策略不一致。在多语言代理环境中,这类隐式语言绑定可能造成误解、错误确认、需求澄清失败,甚至让用户无法有效审查设计内容和后续操作。
VirusTotal
65/65 vendors flagged this skill as clean.