周例会自动化

Security checks across malware telemetry and agentic risk

Overview

This skill has a clear weekly-meeting purpose, but it would automatically modify and upload a local business Excel file on a schedule using scripts that are not included in the reviewed package.

Review before installing. Only use this if you want a scheduled agent to find the latest matching Excel file in D:\00OPENCLAWSPACE\, create or modify a dated copy, use mx-im/UA authorization, and send it to group ID 202410211824178783917. Verify the referenced PowerShell and batch scripts locally, narrow the watched directory if possible, and consider requiring a preview or approval before each send.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill automates discovery, modification, and transmission of a local Excel file to a work chat group on a cron schedule, but the description provides no explicit user-facing consent, confirmation, scope restriction warning, or notice that local files will be altered and sent externally. This creates a real risk of unintended data disclosure and accidental modification of business documents, especially because the workflow selects files automatically from a broad local path and sends them without a human review step.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal