truetime-cn

Security checks across malware telemetry and agentic risk

Overview

This skill is a local time-calculation helper with broad activation guidance, but its behavior is disclosed, purpose-aligned, and does not show hidden data access or persistence.

Install this if you want precise Chinese calendar, holiday, and timezone calculations. Be aware it tells agents to invoke it for many time-related phrases, so users who prefer fewer automatic tool calls may want narrower activation wording, but no hidden network, credential, persistence, or destructive behavior was found.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger rules are extremely broad, requiring invocation whenever common temporal words like 'today', 'tomorrow', or 'later' appear. This can cause excessive tool use, unnecessary access to runtime context, and over-collection of time-related user context in ordinary conversation where precise computation is not needed.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The statement that any relevant request 'should use this skill' is overly absolute and encourages blanket invocation without proportionality checks. In practice, this can bias the agent toward unnecessary tool execution and make the skill a default path for a wide range of benign queries, increasing operational surface area and the chance of unintended data handling.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal