Back to skill

Security audit

Upward Reporting

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Chinese workplace-report-writing skill made of Markdown guidance and templates, with no evidence of hidden execution, data access, or destructive behavior.

Install this if you want Chinese-language help drafting workplace reports and related templates. Be aware that generic prompts like writing a document or personal summary may route into this skill, so clarify the workplace scenario and audience when using it; avoid pasting confidential business details unless you are comfortable sharing them with your agent environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest description includes broad triggers like '写文档' and '帮我写材料', which can match many generic writing requests and cause this router skill to activate outside its intended reporting niche. In an agent system, overly broad routing can misdirect user requests, suppress more appropriate skills, and create unsafe or poor-quality behavior through prompt capture at the routing layer.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger list includes broad phrases such as “横向协作” and “写协作方案”, which can overlap with ordinary workplace requests that may not specifically require a kickoff document skill. This can cause the agent to invoke the wrong skill, leading to misrouting, inappropriate guidance, or unintended access to related references and templates in contexts where this skill was not the best match.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes broad phrases such as “写项目规划”, “生成技术汇报”, and “写向上汇报”, which can match many ordinary user requests outside the intended narrow planning scenario. This increases the chance of misrouting the user into this skill, causing inappropriate guidance, context confusion, or unintended override of a more suitable specialized skill.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
The skill content is written as if interaction will occur in Chinese and does not state any language selection behavior or limits, which can cause the agent to respond in an unintended language or mishandle non-Chinese user input. While not a direct code-execution issue, this can create reliability and safety problems by producing misunderstood planning documents or incorrect routing for users operating in another language.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes very broad phrases such as '个人总结' and '写个人复盘', which can match common user requests that are not necessarily asking for a year-end review or performance document. This can cause unintended routing to this skill, leading to incorrect assistance, context confusion, and possible leakage of internal writing heuristics into unrelated workflows.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The skill content is entirely Chinese-oriented and the description specifies Chinese trigger phrases without offering a language fallback or user-choice mechanism. This can cause the agent to respond in an unintended language or fail to serve users operating in other locales, creating usability and policy-compliance issues in multilingual environments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.