liyan de skill

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only gold market analysis skill with no executable code, credentials, persistence, or account-control behavior.

Install this only if you want a Chinese-language helper for gold market analysis. Treat its buy/hold calls and ETF rankings as educational output, verify prices and fund data from official financial sources, and do not rely on it as personalized financial advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The skill declares it must be used for essentially any gold-investment-related question, with many broad examples and no clear routing boundaries. Over-broad activation can cause the agent to invoke this skill when not necessary, overriding user intent or other more appropriate skills and increasing the chance of unintended web access, financial guidance, or policy-violating output in adjacent contexts.

Natural-Language Policy Violations

Medium

Confidence: 89% confidence
Finding: The skill metadata and content mandate Chinese-language behavior without checking the user's preferred language or obtaining opt-in. This can lead to responses in an unexpected language, reduce user comprehension for financial content, and create safety issues when presenting time-sensitive investment analysis that the user may misread or be unable to verify.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal