yoooclaw-world-cup-post-match-review-scene

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent, but it can broadly search local messaging and notification content for match discussion without explicit app or group scoping.

Install only if you are comfortable with the agent using local notification or group-message context to summarize World Cup discussion. Prefer specifying exact apps, groups, channels, and time ranges, and avoid using the notification-based hot-topic or full-output mode when unrelated private messages may be visible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs querying broad local notifications, fan groups, messaging apps, and social apps based on vague user intent such as '全量' or '赛后热议焦点', without requiring explicit, granular consent at execution time. This can expose private message content, group activity, @mentions, and other sensitive personal data unrelated to the user’s immediate request, especially because the default scope expands when the user does not specify groups or apps.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal