Back to skill

Security audit

cmg gem油藏数值模拟专家

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed CMG GEM modeling helper that may create simulation files and run a local simulator, but those actions fit its stated purpose.

Install only if you want an agent to help create and debug CMG GEM DAT files. Before letting it run a simulation, check the DAT file, working directory, executable path, and parallelism setting, and avoid overwriting important project files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly states it will write generated DAT files into the user's working directory, but it does not require an explicit confirmation step, constrained output path, or clear warning about filesystem modification. In an agentic setting, file writes can overwrite existing inputs, place files in sensitive locations if the path is user-controlled, or create unexpected artifacts on the host system.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill is designed to execute a local simulator binary and iterate based on output logs, but it provides no explicit safety boundary, approval gate, or restriction on what executable path may be run. Running local executables from an agent workflow materially increases risk because it can trigger unintended code execution, consume significant resources, and potentially run attacker-influenced commands if file paths or arguments are manipulated.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.