X Mobile Longshot / X 真机感长截图导出
Security checks across malware telemetry and agentic risk
Overview
The skill does its stated screenshot/PDF job, but its renderer can turn crafted output file paths into locally executed Python code.
Review before installing. Use only simple, trusted output filenames inside a dedicated folder, and do not let untrusted text choose --out-png or --out-pdf values. The publisher should pass paths to Python through argv or stdin instead of embedding them into generated Python code.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
66/66 vendors flagged this skill as clean.