Qiuqiu Helper

Security checks across malware telemetry and agentic risk

Overview

Qiuqiu Helper is a small, instruction-only workspace helper with disclosed note-writing and log-cleanup behavior, but users should be careful with the cleanup path.

Install only if you are comfortable with the agent writing notes into a memory folder and deleting old logs. Before using clean_logs, confirm the target directory and retention period, and avoid pointing it at broad or important folders.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The phrase 'Just call it' is ambiguous and encourages invocation without clear preconditions, scope, or confirmation requirements. In an agent skill, vague activation guidance can cause the tool to be triggered too broadly or in unintended contexts, potentially exposing workspace state or causing unnecessary autonomous actions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill advertises a destructive deletion capability without warning, safeguards, or confirmation steps. Because it accepts both a retention value and a path, an agent could delete files from unintended locations or remove logs needed for forensics, troubleshooting, or compliance if the tool is invoked incorrectly or manipulated by adversarial prompts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal