生成每日金融日报

Security checks across malware telemetry and agentic risk

Overview

This skill openly describes a financial-report workflow, but it can automatically send the generated report by email after a broad natural-language trigger.

Install only if you trust the local config and the referenced companion skills, and confirm where email will be sent before running it. Treat short requests like 'generate morning report' as capable of collecting market/news data, creating files, and sending the results externally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger phrase "生成晨报" is generic and likely to match ordinary user requests that are not intended to invoke this full workflow. Because this skill performs a multi-step pipeline including data collection, report generation, and email sending, accidental invocation could cause unintended script execution, data handling, and outbound communication.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This workflow automatically executes a downstream email-sending script as part of a one-shot report-generation pipeline, with no confirmation, preview, recipient validation, or user-visible warning in this file. In an agent skill context, that can cause unintended outbound delivery of potentially sensitive financial content to external recipients, especially if triggered by a simple natural-language request.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal