Back to skill

Security audit

xiaobai

Security checks across malware telemetry and agentic risk

Overview

This non-executable skill is mainly a strategy and writing guide, but it explicitly includes collecting youth opinion data and archiving Gen-Z social media discussion data without privacy limits.

Use this only as a manually reviewed writing or strategy reference. Do not connect it to social-media credentials, scraping tools, analytics pipelines, or archives of identifiable youth discussion data unless you add explicit consent, aggregation-only handling, age protections, retention limits, and legal or ethics review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly lists '10后思想数据采集' as an intended use, which implies collecting opinion or discussion data from youth without any notice of consent, lawful basis, minimization, retention, or protection. Because the data subject group appears to include minors or young users, the privacy and compliance risk is elevated and could lead to inappropriate profiling or large-scale collection of sensitive behavioral data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The archive plan calls for storing global Gen-Z discussion data and TikTok challenge data in CSV/URL form, but provides no warning or controls for privacy-sensitive handling, cross-border transfer, de-identification, or permitted sources. This creates a concrete risk of mass surveillance-style aggregation, retention of personal or pseudonymous identifiers, and downstream misuse of platform-derived behavioral data.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill's intended-use statement includes collecting youth thought/discussion data, which is a direct instruction toward gathering potentially sensitive behavioral information from a vulnerable population. In skill context, this is more dangerous because it is framed as a strategic capability rather than a narrowly scoped research activity with consent, ethics review, or minimization constraints.

Ssd 3

Medium
Confidence
96% confidence
Finding
The archive specification explicitly plans to store global Z-generation discussion data and challenge data without defining consent boundaries, minimization, or what constitutes acceptable public-data reuse. This can enable collection and long-term storage of social-media behavioral datasets at scale, increasing re-identification, profiling, and misuse risks, especially across jurisdictions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.