Shike Gift Advisor

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed, instruction-only gift recommendation skill with no executable code or privileged access.

Reasonable to install for gift-planning help. Users should avoid sharing sensitive personal details, verify any price or purchase advice independently, and treat the listed email/WeChat paid-service contacts as separate third-party channels.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The description includes broad trigger phrases like '礼物推荐', '生日礼物', and 'gift recommendation', which are common everyday queries and can cause the skill to be invoked unintentionally outside a clearly bounded context. This can lead to skill hijacking or inappropriate routing, especially in environments with multiple overlapping recommendation skills.

Natural-Language Policy Violations

Medium

Confidence: 80% confidence
Finding: The skill metadata and content are predominantly Chinese and do not clearly offer a language-choice or fallback behavior for non-Chinese users. This can cause user confusion, incorrect outputs, or unintended invocation in multilingual environments, though it is more of a safety and usability weakness than a direct security exploit.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal