数据自动分析

Security checks across malware telemetry and agentic risk

Overview

This skill is a local spreadsheet/report analyzer with disclosed dependencies and outputs, and I found no hidden exfiltration, credential access, destructive behavior, or persistence.

Install this only if you want an agent to help analyze uploaded or explicitly referenced spreadsheets. Be aware that broad prompts like “analyze this” may activate it, and generated HTML reports may contact cdnjs to load charting code when opened unless you modify them for offline use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

High

Confidence: 95% confidence
Finding: The trigger logic is extremely broad, including generic phrases like '分析一下', '看看报表', '这俩哪个好', and '生成日报', and even says the skill 'must' trigger for such common requests. This creates a high risk of unintended activation, causing the agent to process files or enter automated analysis flows when the user may have meant something else or expected a safer/manual response.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal