Monthly Report Analysis

Security checks across malware telemetry and agentic risk

Overview

This is a coherent finance-reporting skill, but it can update persistent Feishu financial templates under broad triggers without explicit confirmation or rollback safeguards.

Install only for the named monthly reporting workflow. Before use, explicitly provide and confirm the company, reporting month, source spreadsheet, target Feishu document, sheet, and exact ranges; require a preview or manual approval before any write or cleanup operation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger description is broad enough to activate on generic phrases like '月度分析' or '报表分析', which can cause the skill to run in contexts unrelated to this specific financial workflow. In a finance-oriented skill that reads accounting data and updates report templates, unintended activation increases the risk of acting on the wrong entity, wrong month, or wrong document set, leading to data corruption or disclosure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal