SUNS 品牌母体空间寻址器

Security checks across malware telemetry and agentic risk

Overview

This is a simple brand-address formatting skill that performs a length-based checksum and does not ask for files, credentials, network access, or code execution.

Safe to install for normal use as a lightweight brand-address calculator. Treat claims such as digital deeds, anti-counterfeit protection, or cross-chain verification as branding unless you have independent evidence that they connect to a real registry or legal process.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The README uses broad call-to-action language that can cause the skill to be invoked for generic brand-name or naming requests without clear boundaries on accepted inputs or intended use. In agent environments, overly broad invocation cues can lead to accidental triggering, misrouting of user requests, and execution in contexts the author did not intend, which increases the chance of unsafe or confusing behavior.

Natural-Language Policy Violations

Medium

Confidence: 91% confidence
Finding: The skill hard-codes Chinese-only output and does not provide any user choice, which can override a user's preferred language and reduce transparency or accessibility. While this is not a code-execution or data-exfiltration risk, it is a genuine policy and usability issue because it constrains agent behavior in a way that may conflict with user needs or platform expectations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal