Vague Triggers
Medium
- Confidence
- 84% confidence
- Finding
- 像“记录”“反馈”这样的触发词过于宽泛,容易在无关对话中误触发技能,导致用户原本未打算保存的内容被解析并写入育儿日志。由于该技能处理的是儿童和家庭敏感信息,误触发带来的隐私泄露和错误记录风险比一般技能更高。
tangyuan-parenting
Security checks across malware telemetry and agentic risk
Overview
This skill is a coherent parenting-log helper, but it stores sensitive child-care notes locally and users should manage those files carefully.
Install only if you are comfortable keeping a young child's care, health, sleep, and family-routine notes as local Markdown files. Use a private workspace or set TANGYUAN_LOG_DIR to a private folder, review parsed feedback before confirming saves, periodically delete old logs if no longer needed, and treat health suggestions as general guidance rather than medical advice.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)
Vague Triggers
Medium
- Confidence
- 80% confidence
- Finding
- “关于汤圆的通用育儿问题”这一兜底触发边界模糊,可能让技能在普通聊天或泛化家庭讨论中被激活,并自动读取个人档案与育儿参考文件。上下文越模糊,越容易在用户未充分预期的情况下引入敏感个人资料进行回答。
Missing User Warnings
High
- Confidence
- 95% confidence
- Finding
- 技能文档没有清楚告知用户:照护反馈、周报和历史记录会以工作区文件形式长期存储,这些内容包含儿童健康、作息、家庭成员角色和位置背景等敏感信息。缺少显著告知与同意机制会使用户在不知情的情况下暴露高敏感家庭数据,并增加被其他本地流程或人员读取的风险。
VirusTotal
63/63 vendors flagged this skill as clean.