中国日历

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple Chinese holiday lookup helper that openly uses the timor.tech API and does not show hidden code, credential access, persistence, or destructive behavior.

Install if you are comfortable with Chinese calendar queries being sent to timor.tech. Avoid using it for confidential scheduling or sensitive operational planning, and verify critical holiday/workday decisions against an official source.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (4)

Missing User Warnings

Low

Confidence: 93% confidence
Finding: The skill instructs users to query a third-party API but does not disclose that requested dates, IP address, user agent, and other access metadata will be transmitted to timor.tech. This is a real privacy/transparency issue, though the transmitted data is relatively low sensitivity in the examples shown.

External Transmission

Medium

Category: Data Exfiltration
Content: ```bash # 查询今天 curl -s "https://timor.tech/api/holiday/info/$(date +%Y-%m-%d)" # 查询指定日期 curl -s "https://timor.tech/api/holiday/info/2026-02-28"
Confidence: 95% confidence
Finding: curl -s "https://timor.tech/api/holiday/info/$(date +%Y-%m-%d)" # 查询指定日期 curl -s "https://timor.tech/api/holiday/info/2026-02-28" # 查询明天 curl -s "https://timor.tech/api/holiday/info/$(date -d

External Transmission

Medium

Category: Data Exfiltration
Content: ```bash # 查询2026年所有节假日 curl -s "https://timor.tech/api/holiday/year/2026/" ``` ### 批量查询多个日期
Confidence: 95% confidence
Finding: curl -s "https://timor.tech/api/holiday/year/2026/" ``` ### 批量查询多个日期 ```bash # 查询本周所有日期or day in {0..6}; do date_str=$(date -d

External Transmission

Medium

Category: Data Exfiltration
Content: ### 判断明天是否需要上班 ```bash response=$(curl -s "https://timor.tech/api/holiday/info/$(date -d 'tomorrow' +%Y-%m-%d)") if echo "$response" | grep -q '"holiday":false'; then echo "明天是工作日，需要上班"
Confidence: 96% confidence
Finding: curl -s "https://timor.tech/api/holiday/info/$(date -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal