模型消耗统计

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed usage-reporting helper that formats model token and cost statistics for Feishu, with no executable code or hidden install behavior.

Install this only if you are comfortable letting the agent summarize model usage and send it to Feishu. For shared channels, prefer aggregate totals, redact session IDs, and avoid exporting detailed per-session reports unless the user explicitly needs them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill directs the agent to send session usage statistics to Feishu, an external messaging platform, without an explicit user-consent or data-minimization step. Even if the content is framed as 'statistics,' session IDs, model names, activity windows, and usage patterns are metadata that can reveal sensitive operational behavior and should not be transmitted externally by default.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The export workflow encourages generating detailed per-session reports, including top sessions and model usage details, but does not warn that these artifacts may contain sensitive metadata suitable for profiling user behavior, internal workloads, or billing patterns. If shared or stored insecurely, these reports could leak operational intelligence beyond the original conversation context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal