Security audit

Duleheng Consulting

Security checks across malware telemetry and agentic risk

Overview

This is a Chinese engineering-consulting prompt skill with no executable code, hidden access, or persistence, though users should treat its professional advice as advisory.

Install this only if you want a Chinese-language engineering consulting assistant. Review any related skills before installing the asset IDs it recommends, and do not rely on its output alone for binding legal, contract, investment, or cost-control decisions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger phrase set includes very generic natural-language activators such as broad consulting requests, which can match ordinary user prompts that were not intended to invoke this skill. In an agent environment, overly broad activation increases the chance of accidental routing, causing the model to adopt this skill’s persona and workflow when the user merely mentions adjacent topics.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The listed trigger phrases do not define strong activation boundaries, so the skill may activate on ambiguous mentions of contracts, bidding, disputes, or cost control in normal conversation. Without explicit non-trigger cases, orchestration systems may over-match and unintentionally hand control to this skill, which can distort responses or suppress other better-matched skills.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal