Xiaozhi English Writing Coach

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed English-writing coaching skill with consent-based progress tracking and no executable code or hidden data access found.

Install this if you want a Chinese-language English writing coach that may remember writing progress after you agree. Before enabling tracking or cross-skill updates, confirm where those learning records are stored and how to clear them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill declares mandatory activation for a broad set of common writing-related requests, which can cause over-invocation and override user intent or better-matched tools. In practice this can lead to incorrect routing, unnecessary collection of user writing for tracking features, and degraded safety/compliance when the user did not explicitly ask for this skill.

Natural-Language Policy Violations

Medium

Confidence: 84% confidence
Finding: The skill is written entirely in Chinese while mandating activation for English-writing scenarios without checking the user's preferred language or locale. This can cause the system to respond in an unexpected language, confuse users, and undermine informed consent around guidance and data-tracking features.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal