Security audit

Lithium Promo Research

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed lithium-battery promotion research/report tool, with only minor overbroad trigger wording to watch for.

Install only if you want a Chinese-language helper for lithium-battery equipment promotion research. Before running it, confirm the target country, platform type, product lines, and output path, since it may generate local report files and future versions may perform live web research.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger phrases are broad enough to match ordinary user requests such as general market research or platform recommendations, which can cause the skill to activate unexpectedly. Overbroad triggering increases the chance of unintentional network access, file generation, and user confusion about which tool is acting, especially in agent environments where trigger routing is automatic.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The manual trigger examples include generic phrases like requesting a report or asking what exhibitions exist, without enough constraints to ensure the user intends this specific skill. In an automated agent system, such examples can train or bias invocation toward this skill for broad requests, causing unnecessary web lookup and report generation beyond the user's intended scope.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal