VibeCoding AI编程工作流

Security checks across malware telemetry and agentic risk

Overview

This is a Chinese-language coding workflow guide with no executable code or hidden privileges; its main issues are broad activation wording and possible language mismatch.

Safe to install as a workflow/reference guide. Users should treat its tool, API, testing, and CI/CD suggestions as planning guidance and review any generated commands, API integrations, credential use, or deployment steps before running them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger phrases are broad and overlap with common user requests such as asking how to build something with AI or asking for examples. This can cause unintended activation of the skill in unrelated conversations, leading the agent to inject a specific workflow and potentially override user intent or produce unexpected behavior.

Natural-Language Policy Violations

Medium

Confidence: 86% confidence
Finding: The skill is written and framed entirely in Chinese without offering language negotiation or an explicit opt-in for language choice. In multilingual environments this can cause the agent to respond in an unexpected language, degrading usability, causing misunderstandings of technical steps, and increasing the chance of user error during code generation or security-sensitive development tasks.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal