Security audit

国网调研报告撰写

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only report-writing skill that creates Word research reports from user-provided materials, with no evidence of hidden code, credential use, or unrelated data access.

Install this if you specifically need Chinese State Grid-style HR or reform research reports. Use it only with documents you are allowed to process, review the generated .docx before sharing it, and confirm the output filename/location when handling confidential policy, HR, or compensation materials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger conditions are extremely broad, matching many common enterprise and HR-related keywords and instructing the system to trigger whenever those terms appear with a document-generation need. This can cause unintended invocation in unrelated conversations, expanding the skill's access to user content and increasing the chance of inappropriate automation or data handling without clear user intent.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The skill instructs the agent to generate and save a .docx file to the workspace, but it does not require notifying the user or obtaining confirmation before writing files. Even though file creation is expected for this skill, silent file output can surprise users, create unwanted artifacts, or write derived content from sensitive source materials without an explicit checkpoint.

Natural-Language Policy Violations

Medium

Confidence: 88% confidence
Finding: The skill description and writing requirements strongly constrain output to Chinese and a specific institutional writing style without indicating that the user can choose another language or format. This can override user preferences, reduce usability, and cause unintended disclosure or mishandling when content should be produced in another language for review, compliance, or stakeholder sharing.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.