Security audit

Deep Reader

Security checks across malware telemetry and agentic risk

Overview

Deep Reader is a coherent reading-analysis skill for user-provided books and URLs, with no evidence of hidden persistence, credential access, exfiltration, or destructive behavior.

Install this if you want an assistant to analyze books, documents, or webpage URLs you provide. Avoid using it with confidential manuscripts, private PDFs, sensitive text files, or private webpages unless you are comfortable with their contents being read, summarized, and potentially quoted in the output.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (6)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrases are very broad, everyday language such as requests for an overview, main idea, comparison, or deep analysis. In a skill-routing system, this can cause accidental invocation on ordinary user prompts, leading the agent to process local files or URLs unexpectedly and potentially exposing content the user did not intend this skill to access.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger keywords include very broad, everyday phrases such as '主要内容', '核心观点', and '详细分析', which can plausibly appear in ordinary conversation unrelated to this skill. In an agent environment, overly generic triggers can cause accidental invocation on unintended content, leading to unnecessary file/URL processing, privacy exposure, or confusing agent behavior.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The web/article trigger phrases are broad enough to match many ordinary requests such as asking what a link says, which can cause the skill to activate and fetch external content without sufficiently explicit user intent. In a skill that performs URL retrieval, overbroad activation increases the chance of unintended network access, content ingestion, and analysis of attacker-controlled webpages.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: Defaulting to analytical reading when user intent is unclear creates an ambiguous activation path that can make the skill perform deeper processing than the user intended. In practice, this can amplify accidental invocation, increase token/tool usage, and combine dangerously with the URL-fetch behavior to analyze external content without a clear user opt-in.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill description says it supports webpage URL analysis but does not clearly warn users that the system may fetch external webpages and retrieve remote content. Missing disclosure undermines informed consent and makes unintended outbound requests more likely, particularly when combined with broad trigger phrases.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The document proposes trigger phrases such as '这本书在谈什么', '作者为什么这么说', and '这本书对我有什么用', which are broad natural-language expressions likely to appear in ordinary conversation outside an explicit deep-reading request. In an agent skill, overly broad triggers can cause unintended activation on unrelated user input, leading the system to ingest URLs/files or produce analysis the user did not actually request.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal