Solo Forge

Security checks across malware telemetry and agentic risk

Overview

Solo Forge is a disclosed local business assistant, but it can read and modify sensitive client, deal, payment, and project-status files through broad natural-language triggers without consistently requiring confirmation.

Install only if you are comfortable letting the assistant manage local client, project, and payment JSON files. Keep real business data out of shared repositories or cloud-synced folders, back up the data files, and manually confirm any proposed write to deals.json, clients.json, or config.json, especially payment updates and project status changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Vague Triggers

High

Confidence: 95% confidence
Finding: The trigger phrase "帮我" is extremely broad and commonly appears in ordinary conversation, so it can cause the skill to activate in situations the user did not specifically intend. In an agent environment with file access and business workflow actions, accidental activation increases the chance of unintended reads, writes, or guidance being applied to sensitive local business data.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README emphasizes persistent local storage of customer, deal, and configuration data, but does not clearly warn users that these files may contain sensitive commercial information, payment history, and client risk notes. Without explicit privacy and handling guidance, users may unknowingly expose confidential business data through insecure storage, backup, sharing, or repository mistakes.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly instructs direct read/write access to user business data files and to create missing files, but it does not require clear user consent or notify the user before persistence occurs. In a skill that handles client, deal, and configuration records, silent creation or modification can lead to unintended data retention, privacy issues, and integrity problems if the assistant mis-parses input or writes incorrect defaults.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The module explicitly instructs reading and writing customer profiles and company research to a local `data/clients.json` file, which can include sensitive business contact details, notes, and inferred decision-maker information. Persisting this data without any notice, consent, retention policy, access control, or handling guidance creates a real privacy and confidentiality risk, especially because the skill is designed to accumulate client intelligence over time.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger text '生成进度报告、验收报告、满意度调查时加载此模块' activates the module for several common document-generation tasks without defining stricter boundaries, exclusions, or required user intent. In a business assistant that also reads project/payment data and pushes collection-oriented actions, broad activation can cause the wrong guidance to be injected into unrelated conversations or documents, including legal/payment suggestions the user did not explicitly request.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger condition "当用户说'客户说XXX，怎么回'时加载此模块" is broad and underspecified, so the module may activate for loosely related conversations without checking whether the user is actually seeking negotiation guidance in an appropriate business context. In an agent system, overly broad activation can cause irrelevant or manipulative sales tactics to be injected into responses, increasing the chance of unintended behavior or policy drift.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: 操作映射将自然语言短语直接绑定到写操作，如“添加项目/新建项目”“更新项目/已收款X元”，但未定义明确的命令边界、确认机制或歧义消解规则。在会话式场景中，这容易把描述性表达、举例或讨论误判为真实指令，从而意外修改 deals.json，影响业务数据完整性。

Vague Triggers

High

Confidence: 94% confidence
Finding: 状态转换规则使用“做完了”“验收通过了”“项目取消了”等高度口语化触发词，且文档明确说明会自动更新 status 和 updated_at。由于这些词语常出现在转述、草拟消息、历史回顾或条件讨论中，误触发会直接改变项目生命周期状态，进而影响验收、尾款催收、取消结算等后续业务动作。

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: 文档声明“所有数据直接读写 JSON 文件”且文件不存在时自动创建空结构，但没有要求在首次写入、覆盖或初始化时向用户明确告知。这会导致用户在不知情的情况下触发持久化修改，尤其在项目管理与财务场景中，可能造成记录被意外创建、覆盖或污染。

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal