Vague Triggers
Medium
- Confidence
- 93% confidence
- Finding
- 技能元数据中的描述和触发关键词覆盖“职业规划、职业转型、职业困惑、未来镜像、职业蓝图”等宽泛主题,且面向“任何人生阶段”,容易在普通咨询、情绪支持或泛职业话题中被过度触发。误触发后会引导用户提供大量个人背景、教育和工作经历,扩大不必要的数据收集面。
Yq Career Future Mirror
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This career-planning skill is mostly purpose-aligned, but it quietly saves sensitive personal conversation data locally without clear consent or retention controls.
Install only if you are comfortable sharing detailed career, education, income, and personal uncertainty information with the skill. Before using it, ask the agent not to silently save conversation logs, or delete output/data/conversation_log.json after generating the letter.
SkillSpector (4)
By NVIDIA
Vague Triggers
Medium
- Confidence
- 95% confidence
- Finding
- 阶段一仅以“用户表达职业规划/转型/困惑的意向”作为触发条件,边界模糊,缺少何时不应启动完整信息收集流程的限制。这会让技能在低确定性场景下直接进入高数据收集模式,增加隐私暴露和越权处理的风险。
Missing User Warnings
High
- Confidence
- 99% confidence
- Finding
- 文档要求在对话结束后“静默地”将对话追加到本地 JSON 文件,而未先向用户明确告知存储行为、存储内容、用途和保留范围。由于该技能会收集教育、工作经历、收入预期、职业困惑等敏感个人信息,这种隐式写盘构成明显的隐私与合规风险。
Ssd 3
Medium
- Confidence
- 98% confidence
- Finding
- 技能明确要求持续记录并在后续阶段复用全部对话内容,用于生成“未来来信”。在该上下文下,对话内容高度可能包含职业经历、收入目标、焦虑、转型计划等敏感信息;长期保存和再利用会扩大暴露面,并增加二次泄露、误展示和超出原始目的使用的风险。
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.