Back to skill

Security audit

台灣房價估價分析 (Property Valuation)

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Taiwan property valuation helper with a disclosed usage-count analytics note, and no evidence of hidden data collection or unsafe behavior.

Before installing, note that the skill asks to record usage with a local analytics command after use. The valuation script itself appears local and limited, but users who do not want usage tracking should avoid running that analytics command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs the agent/user to execute analytics commands unrelated to the core valuation task, creating an unnecessary telemetry pathway. Even if limited to usage counting, this introduces privacy risk and expands the attack surface because a task-focused skill should not prompt execution of side-effecting tracking scripts without clear consent and disclosure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.