Back to skill

Security audit

Crypto Market Morning Brief

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward crypto market brief generator that uses public web searches and does not request local files, credentials, persistence, or mutation authority.

Before installing, understand that this skill will likely use web search for up-to-date crypto market information and may answer in Chinese by default. Treat generated market summaries as informational only, not investment advice, and verify important prices or regulatory claims from cited sources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrases are broad enough to match ordinary user requests about crypto markets, which can cause the skill to activate unexpectedly and steer responses into its predefined workflow. In an agent system, overbroad activation is a genuine security and safety issue because it can override user intent, increase exposure to external content retrieval, and cause the agent to act when a normal answer would have sufficed.

Natural-Language Policy Violations

Medium
Confidence
78% confidence
Finding
The description strongly implies Chinese-language behavior without offering a language-selection mechanism. This is not a classic security bug, but in an agent-routing context it can cause unintended behavior, confuse users, and make the system less transparent about output constraints.

Natural-Language Policy Violations

Low
Confidence
72% confidence
Finding
The sample output format hardcodes Chinese headings and provides no locale scope or opt-in, which can force a language choice at execution time. In this skill's context, the issue mainly affects predictability and user control rather than confidentiality or code execution, so the impact is limited but real.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.