Security audit

多机器人去重消息

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill prevents duplicate Feishu bot replies and keeps a small local deduplication state file for that purpose.

Install this only if you want duplicate Feishu bot messages to receive no second reply within about 30 seconds. Be aware that it keeps a local dedup_state.json file with sender IDs, timestamps, and message hashes; clear or inspect that file if replies are skipped unexpectedly or if you do not want that metadata retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to persistently store per-user sender IDs, timestamps, and message-derived hashes in a local state file, but provides no privacy, retention, access-control, or consent guidance. Even though the stored hash is only message-derived, it still creates linkable behavioral metadata and could expose user activity patterns or enable correlation if the file is accessed or reused beyond the deduplication purpose.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal