生成每日金融市场 Word 日报

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrow local Word-report generator that reads configured market data and writes a report, with no evidence of network exfiltration, destructive behavior, or hidden privilege use.

Install only if you want this financial-market Word report workflow and have the expected local config.py and market_data.json paths set up. Review the hardcoded config import path and consider narrowing the trigger phrase to avoid accidental activation for unrelated report requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger phrase `生成报告` is overly generic and can match many unrelated user requests, causing the skill to activate outside its intended financial-daily-report context. Misrouting can lead the agent to read local market data files and generate documents when the user asked for a different kind of report, increasing the risk of unintended file access, confusion, or data leakage in multi-skill environments.

Vague Triggers

Low

Confidence: 88% confidence
Finding: The activation condition `触发‘生成每日金融日报’流程的第二步时使用` is ambiguous because it depends on an external workflow state that is not defined in the skill itself. In practice, unclear boundaries can cause incorrect invocation order, skipped validation, or execution without the necessary upstream data-collection guarantees, which weakens control over when local files are accessed and documents are produced.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal