Back to skill

Security audit

四六级英语备考助手

Security checks across malware telemetry and agentic risk

Overview

This looks like a study-helper skill with low-impact local study tracking, not a malicious or high-risk integration.

Install if you are comfortable with a local wrong-answer history being kept for review. Use explicit prompts when invoking it, and periodically inspect or delete the local study record if privacy matters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list includes broad natural-language phrases such as '四六级备考' and '英语刷题', which can accidentally match ordinary user requests and invoke the skill without clear user intent. This can cause unintended behavior, especially because the skill also maintains persistent wrong-answer records, making accidental activation more privacy-relevant than a purely stateless helper.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly stores users' incorrect answers and translations in a persistent local file, but it does not disclose this behavior or obtain consent. Because the stored content can include learning history and free-text responses, users may unknowingly create a record of their activity, which raises privacy and data-retention concerns even in an educational context.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.