Security audit

Qidian Reader

Security checks across malware telemetry and agentic risk

Overview

This is a Qidian book-recommendation helper that browses public ranking pages and does not request credentials or change user data.

Install this if you want Qidian-specific recommendations or live Qidian ranking lookups. For general novel recommendations, be explicit when you do not want live Qidian browsing, and do not provide Qidian credentials or ask the agent to bypass verification pages.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger examples are broad generic book-recommendation requests rather than clearly scoped Qidian-specific intents, which can cause the skill to activate in situations where a general assistant response would be safer and more appropriate. Over-broad activation increases the chance of unnecessary browser automation against a live site, expanded data access, and user confusion about when external retrieval is being performed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.