Vague Triggers
Medium
- Confidence
- 91% confidence
- Finding
- 该技能的触发描述为“在任何创造性工作之前必须使用”,范围过宽且带有强制性,容易在大量普通开发或创作场景中被意外调用。这会放大该技能对工作流的影响,使其在不必要时介入项目上下文查看、提问和文档写入流程,增加误触发、上下文过度收集和流程劫持风险。
测试审核记录保存4
Security checks across malware telemetry and agentic risk
Overview
The skill appears to be a broad workflow-guidance skill with usability and scoping caveats, but no evidence of hidden, destructive, credential-stealing, or exfiltrating behavior was provided.
Install only if you are comfortable with a skill that may activate broadly during creative or planning work. Review its language behavior and make sure important confirmations are in a language you fully understand before allowing document changes or other consequential outputs.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)
Natural-Language Policy Violations
Medium
- Confidence
- 84% confidence
- Finding
- 技能元数据和内容均默认以中文进行交互,但没有说明这是基于用户偏好、部署环境还是业务要求,也未提供语言协商机制。这可能导致与用户语言不一致时产生误解、错误确认设计内容,甚至让用户难以及时发现文档写入、git 提交等高影响操作的真实含义。
VirusTotal
65/65 vendors flagged this skill as clean.