Research XCorbit

Security checks across malware telemetry and agentic risk

Overview

This is a market-research guidance skill with no executable code, persistence, credential access, or hidden privileged behavior.

Install this if you want a rigorous Chinese-language product market research framework. Expect it to push agents toward structured, source-heavy reports and recent public web/platform research; for lightweight brainstorming or copywriting, you may need to tell the agent not to use it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill description is scoped so broadly that it can trigger on very common product, strategy, and market questions, increasing the chance that the agent invokes this skill in situations where a narrower or safer capability would be more appropriate. Over-broad activation creates control-risk rather than direct code-execution risk: it can hijack normal user workflows, bias outputs toward a fixed framework, and reduce reliable skill routing.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The applicable-scenario list enumerates many broad request types but does not define clear boundaries for when the skill should not be used. In practice this can cause over-invocation on ordinary business or ideation prompts, making the agent less predictable and potentially forcing unnecessary web-style research or strategic framing onto user requests that do not require it.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal