获取微博热搜榜单，智能分类热点话题，生成分段式结构化日报。

Security checks across malware telemetry and agentic risk

Overview

This skill fetches public Weibo hot-search data from a disclosed source and formats a local report without persistence, credential access, or automatic posting.

Install only if you are comfortable with the skill contacting the disclosed third-party Weibo hot-search mirror to retrieve live public content. Returned topics are dynamic third-party content and may be incomplete or sensitive; stricter environments should review or replace the data source before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrases shown in the README are very broad, everyday requests such as asking for today's Weibo hot searches. Broad activation language increases the chance of unintended invocation in normal conversation, which can cause the agent to fetch external data or produce skill output when the user did not explicitly intend to run this skill.

Missing User Warnings

Low

Confidence: 79% confidence
Finding: The description says the skill gets Weibo hot-search rankings, but it does not clearly warn users that invoking the skill will retrieve external content. Lack of notice reduces user awareness around network access, third-party data sourcing, and the possibility that returned content may be untrusted or dynamic.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal