热点雷达

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent hot-list reporting tool that fetches public trend data and saves local reports, with no evidence of hidden execution, exfiltration, or destructive behavior.

Install only if you are comfortable with the skill contacting public and third-party trend APIs and saving local history, reports, and monitored keywords. Enable scheduled runs intentionally, review any push targets before use, and avoid providing real platform cookies unless you understand they may be sensitive session credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill grants `ExecuteCommand`, which enables shell execution despite the stated purpose being data aggregation, monitoring, and report generation. Even if intended for running the documented `node scripts/index.js html`, unnecessary shell access expands the attack surface substantially: prompt-influenced commands, local file access, credential exposure, and arbitrary process execution become possible if the skill logic or downstream tooling is abused.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal