ym-retail-pitch-skill

Security checks across malware telemetry and agentic risk

Overview

This is a simple text-only Chinese retail sales pitch helper with no code, network access, credentials, storage, or persistence.

Reasonable to install as a retail copy helper. Review generated pitches before using them with customers, especially claims about price, freshness, safety, availability, or product benefits; users may also want clearer activation wording if accidental triggering would be annoying.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrases are broad everyday-language requests such as 'XX怎么介绍' and '帮我推销XX', which can match normal conversation outside a deliberate skill invocation. This can cause accidental activation or routing to the skill in unintended contexts, leading to confusing behavior, misleading outputs, or prompt-scope interference in systems that rely on trigger matching.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal