AI项目文档生成Skill

Security checks across malware telemetry and agentic risk

Overview

This is a simple local Python README and changelog generator with some documentation mismatches but no evidence of hidden access, persistence, credential use, or destructive behavior.

Treat this as a lightweight local Python text generator, not a fully packaged npx CLI. Run it as python app.py, review generated README or changelog output before saving it, and use more specific trigger phrases if adapting the Hubble publishing example.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The Hubble publishing instructions explicitly suggest broad trigger phrases like “生成文档” and “生成日志”, which are generic enough to match normal user conversation rather than deliberate tool-invocation intent. In an agent skill context, vague triggers can cause unintended activation, leading to unexpected execution of the documentation generator and possible misuse of user-provided content or disruption of normal chat flow.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal