Security audit

Packaging Generation

Security checks across malware telemetry and agentic risk

Overview

This skill is a packaging-design helper that uses markdown instructions and reference templates, with no executable code or evidence of hidden data access.

Install only if you want a Chinese-language packaging design generation workflow. Before allowing file output, confirm the filename, format, and destination path, and remove or ignore the overly broad 'meta-skill-system' trigger if your environment supports trigger customization.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger phrases include very broad terms such as '生成包装', '创建包装', and especially 'meta-skill-system', which can overlap with ordinary user requests and may cause the skill to activate unexpectedly. Unintended invocation increases the chance that the agent follows this skill's file-output workflow in contexts where the user did not explicitly request it.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs that generated content should be saved as files and later tells the user the file location and opening method, but it does not clearly warn the user or require confirmation before file-writing occurs. In an agent environment, implicit file creation can lead to unexpected writes, overwrite risks, or persistence of unreviewed content on the host system.

Natural-Language Policy Violations

Medium

Confidence: 88% confidence
Finding: The exemplar is written entirely in Chinese and presents all prompts, steps, and output examples in that language without any language-selection mechanism or opt-in. In a multilingual agent environment, this can exclude users, cause misinterpretation of requirements, and lead downstream components to assume Chinese-only operation, creating a policy and usability risk rather than a direct code-execution issue.

Natural-Language Policy Violations

Medium

Confidence: 93% confidence
Finding: The file content is entirely in Chinese and provides no mechanism to adapt to the user's preferred language or locale. In an agent skill, this can cause misunderstandings of requirements, outputs, or safety-relevant details for non-Chinese-speaking users, reducing usability and potentially leading to incorrect packaging content generation.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal