date-count

Security checks across malware telemetry and agentic risk

Overview

This is a simple local countdown-date skill with minor privacy and routing cautions, but no evidence of hidden, destructive, or malicious behavior.

Install only if you are comfortable keeping countdowns, birthdays, anniversaries, or deadlines in a local plaintext JSON file. Use explicit wording when asking the agent to list all saved dates, and back up the JSON file before manually editing it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger examples for single-countdown queries are broad natural-language phrases like asking how long until a birthday or Spring Festival, without a clear namespace or activation cue. This can cause the skill to activate on ordinary conversation and intercept user intent unexpectedly, which is a prompt-routing and overbroad invocation risk even though the skill itself is simple.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The examples for listing all countdowns use generic phrases such as '查看所有倒计时' and '列出全部纪念日', which are common user utterances that could overlap with other skills or general assistant behavior. In an agent system, such ambiguous activation language increases the chance of unintended skill invocation, misrouting, and disclosure of locally stored reminder data when the user did not explicitly intend to access this skill.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal