Security audit

Critigraph Vm

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Chinese-language skill describing a math-based reasoning method, with no artifact-backed signs of hidden execution, data access, persistence, or exfiltration.

Install this only if you are comfortable with the Chinese documentation or have translated it. This review covers the submitted skill artifact, not any separate code that may exist at the linked GitHub homepage.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Natural-Language Policy Violations

Medium

Confidence: 94% confidence
Finding: The skill metadata and user-facing description are entirely in Chinese without any indication that the user opted into that language. This can impair informed consent and safe use because users may invoke the skill without understanding its purpose, limitations, or operational behavior, increasing the risk of misuse or unintended execution in multilingual environments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.