Security audit

岗位级AI执行系统·商业变现方法论

Security checks across malware telemetry and agentic risk

Overview

This is a promotional business-methodology skill with broad activation wording, but it does not request sensitive access, run code, persist, or perform hidden actions.

Install only if you want guidance on this specific AI-employee commercialization framework. Expect promotional framing and broad activation around AI business questions; remove or narrow the trigger phrases if you want it to stay out of general AI, business, or implementation conversations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The activation rules use broad business/AI phrases like '怎么做', '怎么落地', and generic mentions of AI cost reduction or commercialization, which can cause the skill to activate for many unrelated user requests. This creates scope hijacking risk: the skill may override more appropriate domain-specific skills and steer conversations toward its commercial methodology and lead-generation funnel.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The manifest description embeds a long trigger-word list containing generic terms such as 'AI变现', '中小企业AI', 'AI落地', and 'AI替代人工' without scope limitations. In systems that use metadata for routing, this can make the skill match overly broad user intents and inappropriately inject promotional or off-target guidance into unrelated conversations.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal