观势（GuanShi）— AI 战略分析与洞察系统

Security checks across malware telemetry and agentic risk

Overview

This strategy-analysis skill is coherent overall, but it can automatically run an installer, download and install other skills, and write local files without clear opt-in.

Install only if you are comfortable with first-use setup changing your local skill environment. Before using it, review or run the initializer manually, confirm the downloaded expert skills are trusted, and treat generated knowledge-base files and PPT outlines as potentially containing confidential business information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: Automatically running `guanshi-init.py --yes` on first trigger creates an implicit code-execution path with no interactive confirmation. Any installer script can modify the local environment, fetch dependencies, or persist additional components, making the strategic-analysis context materially more dangerous because execution is hidden behind a benign use case.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: Writing `output/guanshi-ppt-outline.json` to disk as part of normal execution introduces an undeclared side effect and may persist sensitive user/business data locally. In a strategy-consulting workflow, outputs can contain confidential plans, market assumptions, or proprietary internal data, so silent persistence increases confidentiality and compliance risk.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The protocol expands a strategic-analysis skill into automatic environment setup and installation, which is outside the declared purpose and increases the attack surface. Even if intended for convenience, auto-bootstrapping creates an implicit trust path where invoking analysis can trigger local system changes without explicit informed consent.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The file instructs the agent to run shell commands and execute a Python script discovered via `find`, which can lead to arbitrary code execution if the searched path contains a malicious or replaced installer. This is especially dangerous because the commands are unrelated to the skill's strategic-analysis function and are triggered automatically on first use.

Intent-Code Divergence

Medium

Confidence: 87% confidence
Finding: The file says internal reasoning should be hidden from users, but then instructs use of visible <thinking> tags. In many agent runtimes, such tags are not guaranteed to be stripped, so this can cause inadvertent disclosure of analysis intent, intermediate reasoning structure, or prompt scaffolding to end users. In a strategic-analysis skill, that leakage can expose hidden decision criteria and increase prompt-injection or policy-bypass risk.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The file establishes a hard gate that when information is insufficient the agent must not output analysis or recommendations, but later explicitly allows a '初步判断框架' as an appetizer. That contradiction weakens the safeguard and creates a prompt-injection or policy-bypass path where the agent can leak directional advice before required evidence is gathered, undermining the skill's own safety boundary.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The initializer downloads ZIP packages from an external service and extracts them into the local skills directory, yet the skill description presents the tool as a strategy-analysis system rather than a software installer. This hidden capability materially expands the trust boundary: a user expecting document/template setup may instead trigger network retrieval and local package installation of code/content they did not explicitly review.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The skill explicitly states that initialization should run automatically and silently, without a user-facing warning or confirmation. Silent installation is a classic unsafe pattern because it removes informed consent, masks system changes, and can be abused to introduce persistent components or network activity under the guise of normal analysis.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The protocol runs a shell-discovered Python installer after only a status message, not an explicit consent step, so a user asking for analysis may unknowingly trigger code execution and filesystem changes. Combined with dynamic script discovery, this creates a clear path for unreviewed or malicious code to run under the agent's privileges.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger condition is underspecified: 'Step 6 complete' plus 'medium and complex problems must execute' leaves room for inconsistent interpretation by the orchestrating agent. In a skill-chaining context, ambiguous activation can cause unintended file generation or downstream invocation of the PPT skill without a clearly bounded user intent, which is a workflow integrity issue rather than direct code execution.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: Treating a generic affirmative reply like '是' as sufficient to invoke another skill is overly broad and vulnerable to accidental or context-confused activation. In multi-turn conversations, brief affirmations may refer to analysis content rather than consent to generate files or launch a secondary skill, leading to unintended actions and output creation.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: In non-interactive mode (`--yes`), the script proceeds to download remote archives and extract them locally without an explicit user-facing warning about network activity or code/package installation. This is dangerous because it enables silent expansion of local functionality from an external source, which can introduce malicious or compromised packages into the user's environment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal