Highway Lifecycle

Security checks across malware telemetry and agentic risk

Overview

The skill appears non-malicious and locally scoped, but it gives safety-critical highway and tunnel engineering guidance without clear human sign-off requirements.

Install only as decision-support material. Do not use its outputs to approve designs, adjust tunnel support, manage traffic events, or prioritize repairs without qualified engineers, field investigation, current codes, instrumentation or lab data where required, and documented human sign-off.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Natural-Language Policy Violations

Medium

Confidence: 84% confidence
Finding: The skill content and description are written entirely in Chinese and strongly imply Chinese-language interaction, which can override or ignore a user's language preference. This is not a classic security exploit, but it can cause unsafe or misleading operation if users misunderstand engineering guidance, especially in a high-stakes infrastructure context where precise comprehension matters.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal