Chinese Workdays

Security checks across malware telemetry and agentic risk

Overview

This skill is a useful local calendar calculator, but it can silently use generated or unsupported holiday data while presenting results as official.

Review before installing if you might use this for payroll, compliance, contracts, attendance, or other operational decisions. It appears locally scoped and not malicious, but users should verify each YAML file against official notices and avoid relying on unsupported years unless the placeholder-generation behavior is removed or clearly disabled.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The implementation auto-generates placeholder holiday calendars when a year is missing, despite the skill claiming to rely on official State Council schedules. This can silently produce incorrect legal workday calculations that downstream payroll, compliance, attendance, or scheduling workflows may trust as authoritative.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The module documentation states that calculations are based on Chinese government holiday schedules, but the code can create synthetic example data instead of using official arrangements. This is a trust and integrity issue: users may make legal or operational decisions based on inaccurate results because the behavior is misrepresented.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal