工作日薪看板 Pro

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local wage dashboard and Pomodoro widget with no evidence of hidden exfiltration, destructive behavior, or privileged actions.

Install only if you are comfortable with a browser widget storing salary and schedule settings in localStorage and loading fonts from the listed CDN. Treat weather generation as optional and user-directed, and consider correcting the package capability tags because they overstate the inspected artifact capabilities.

Publisher note

工作日薪看板 Pro — 实时工资计算 + 番茄钟专注的玻璃质感 HTML widget。这是用户的个人生产力工具，存在于 references\daily_wage.html。当用户提及"工作日薪"、"工资看板"、"daily_wage"、"番茄钟"、"专注时刻"、桌面 widget 或玻璃质感卡片时，必须使用本 skill。本 skill 包含该文件的完整架构、视觉规范、交互逻辑和核心代码，任何 bot 都能据此准确还原。 github 地址： https://github.com/lwter/nexus-wage-widget

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill says it 'must' be used for broad trigger phrases like 工作日薪, 工资看板, 番茄钟, 专注时刻, desktop widget, and glass-style cards, which can match many unrelated user requests. Over-broad mandatory routing can cause inappropriate invocation, unnecessary exposure of embedded code/specs, and reduced user control over which tool is used.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal