Back to skill

Security audit

Tonghuashun

Security checks across malware telemetry and agentic risk

Overview

This is a simple instruction-only skill for summarizing public Tonghuashun market and news pages, with no code, credentials, trading, or persistence behavior.

Reasonable to install for public market and news summarization. Treat outputs as informational, verify important financial data with authoritative sources, and keep any automated access within Tonghuashun’s terms and rate limits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger description is broad enough that many ordinary requests about market data, finance news, or automation of related content could match, causing the skill to be invoked when the user did not specifically ask for this site or capability. In an agent setting, overbroad routing can expose the user to unintended web access, produce irrelevant results, and bypass more appropriate domain-specific or safer skills.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.