Security audit

声音制作规范，Jiuge_Flow_Perfect_V1.skill

Security checks across malware telemetry and agentic risk

Overview

The packaged files appear to be a local audio-processing workflow, but the registry metadata describes an unrelated broad behavior-control skill, so users should review the mismatch before installing.

Review the listing carefully because the visible metadata and packaged files describe different purposes. Install only if you intend to run a local audio-processing script, are comfortable with processed audio being retained under ~/Desktop/Jiuge_Audio_Projects, and can verify the hardcoded local tool paths match your environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 83% confidence
Finding: The skill explicitly states that outputs are automatically archived to a named project directory, but it does not disclose retention behavior, storage location details, overwrite behavior, or privacy implications of preserving processed audio files. For an audio-processing workflow that may handle sensitive voice recordings, undisclosed archival can lead to unintended persistence and exposure of personal or confidential content.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal