竞品分析助手

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only competitor analysis guide with no code execution, credentials, persistence, or hidden data access.

Installers should know this skill may trigger for broad business research or product-comparison prompts. Review whether that routing behavior is desirable, but there is no artifact-backed evidence of malicious behavior or high-risk permissions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger list in the metadata is broad and includes common business-analysis terms such as 市场调研、商业分析、行业研究 and SWOT分析, which can cause the skill to activate for many ordinary requests not clearly scoped to competitor analysis. This creates unintended routing risk: users may be pushed into a rigid analysis workflow or receive irrelevant structured outputs when they did not explicitly ask for this skill.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The markdown activation conditions are ambiguous because they include generic phrases like 产品对比, 市场调研, 行业研究, 替代品, and XX和YY哪个好, all of which can appear in many non-competitor contexts. In a skill-routing environment, this broad matching increases unintended activation and can override more appropriate skills or produce misleading business advice in the wrong context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal