Back to skill

Security audit

Daily Report (HuangYang)

Security checks across malware telemetry and agentic risk

Overview

This instruction-only daily report skill is coherent and low risk, though users should know it may save generated summaries back into local memory files.

Install this if you want file-backed daily summaries. Before using it with sensitive projects, be aware that it may read local memory/project files and save generated reports for future reference; review saved reports or ask the agent to confirm before writing memory files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill’s stated purpose is to generate a daily report, but the note to update memory files adds write behavior that is not clearly bounded or user-confirmed. This expands the skill from summarization into persistent state modification, creating a risk of unintended data changes, overwrites, or propagation of inaccurate summaries into long-term memory.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to modify memory files without clearly warning the user or obtaining permission, which can lead to silent persistence of generated content. Hidden writes are security-relevant because they affect stored data and may alter future agent behavior or user records without transparency.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.