Security audit

xiaobai

Security checks across malware telemetry and agentic risk

Overview

This non-executable skill is mainly a strategy and writing guide, but it explicitly includes collecting youth opinion data and archiving Gen-Z social media discussion data without privacy limits.

Use this only as a manually reviewed writing or strategy reference. Do not connect it to social-media credentials, scraping tools, analytics pipelines, or archives of identifiable youth discussion data unless you add explicit consent, aggregation-only handling, age protections, retention limits, and legal or ethics review.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill explicitly lists '10后思想数据采集' as an intended use, which implies collecting opinion or discussion data from youth without any notice of consent, lawful basis, minimization, retention, or protection. Because the data subject group appears to include minors or young users, the privacy and compliance risk is elevated and could lead to inappropriate profiling or large-scale collection of sensitive behavioral data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The archive plan calls for storing global Gen-Z discussion data and TikTok challenge data in CSV/URL form, but provides no warning or controls for privacy-sensitive handling, cross-border transfer, de-identification, or permitted sources. This creates a concrete risk of mass surveillance-style aggregation, retention of personal or pseudonymous identifiers, and downstream misuse of platform-derived behavioral data.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The skill's intended-use statement includes collecting youth thought/discussion data, which is a direct instruction toward gathering potentially sensitive behavioral information from a vulnerable population. In skill context, this is more dangerous because it is framed as a strategic capability rather than a narrowly scoped research activity with consent, ethics review, or minimization constraints.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The archive specification explicitly plans to store global Z-generation discussion data and challenge data without defining consent boundaries, minimization, or what constitutes acceptable public-data reuse. This can enable collection and long-term storage of social-media behavioral datasets at scale, increasing re-identification, profiling, and misuse risks, especially across jurisdictions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.