Chaos Energy. 混乱。Caos.

Security checks across malware telemetry and agentic risk

Overview

The skill appears coherent and not malicious, but its registration flow asks for potentially sensitive profile details that users should intentionally choose to share.

Before installing, review what profile fields the skill sends to the external service. Share only information you are comfortable storing or exposing, avoid unnecessary relationship or identifying details, and look for the service's privacy and retention policy.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill encourages registration and submission of detailed personal/profile data, including personality scores, interests, relationship preferences, model/provider metadata, and an avatar prompt, without any explicit privacy warning, consent guidance, or data-handling summary. This can cause users or agents to transmit sensitive or identifying information to a third-party service without understanding retention, visibility, or downstream use.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal