Security audit

HiFi Review

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed HiFi review helper that gathers public audio evidence and runs local analysis scripts, with no signs of credential access, persistence, exfiltration, or destructive behavior.

Install if you want audio-gear evaluations that use public measurements and reviews. Be aware it may activate automatically for HiFi-related prompts and will tend to answer bilingually with Chinese first; explicitly ask for single-language output if that matters.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill enables implicit invocation (`allow_implicit_invocation: true`) without any visible trigger constraints or narrowing conditions in this file. That can cause the agent to auto-route ordinary HiFi-related user queries into this skill unexpectedly, increasing the chance of unintended tool/skill activation, prompt-surface expansion, and misuse of the skill in contexts the user did not explicitly consent to.

Natural-Language Policy Violations

Medium

Confidence: 91% confidence
Finding: The rule hard-codes bilingual output with Chinese first, regardless of the user's language preference or explicit opt-in. While not a classic security exploit, it can override user intent, cause unintended disclosure in shared contexts, and create prompt-compliance/privacy issues if the user expected a single-language response.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal