UAPI 时间戳转换接口

Security checks across malware telemetry and agentic risk

Overview

This is a narrow timestamp-conversion skill that may call a disclosed UAPI endpoint, with only minor routing over-selection concerns.

Install this if you want an agent to use UAPI for timestamp conversion. Be aware that timestamp or date values may be sent to UAPI, and the broad trigger wording could make the skill activate for some general timestamp questions; avoid using it for sensitive time data if that matters to you.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger keyword set includes the very broad term "unixtime," which can match generic user requests that merely mention timestamps rather than an explicit intent to use this specific UAPI endpoint. In an agent-routing context, overly broad triggers can cause unintended skill activation, leading to incorrect external API calls, unnecessary data disclosure to a third party, or user-confusing behavior.

Vague Triggers

Low

Confidence: 74% confidence
Finding: The selection guidance says when to use the skill but does not clearly define when not to use it, increasing the chance that the agent will over-select this single-endpoint skill for adjacent or ambiguous requests. This is primarily a routing integrity issue: it can degrade correctness and in some systems may cause unnecessary external requests, though the endpoint itself appears low risk.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill enables implicit invocation, but the trigger guidance is broad and ambiguous: it applies whenever a user wants to 'get convert unixtime' or related phrases, without tight constraints on when autonomous tool use is appropriate. This can cause the agent to invoke the external API unexpectedly or unnecessarily, increasing the risk of unintended data disclosure, incorrect tool routing, and reduced user control over actions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal