友行

Security checks across malware telemetry and agentic risk

Overview

This skill is a small event-lookup helper that contacts a disclosed third-party API and does not show hidden data access, persistence, or destructive behavior.

Install only if you are comfortable with the skill running local Node.js commands and contacting api.cumen.fun. For activity details, prefer IDs returned by the list command and do not paste arbitrary untrusted text into the CAMPAIGN_ID placeholder.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger condition is broad enough that any mention of “友行” or “友行青年社群” may activate the skill even when the user is not requesting event information. This can cause unintended routing, unnecessary third-party API calls, and accidental disclosure of user context to an external service.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal