Security audit

Promotional Generation

Security checks across malware telemetry and agentic risk

Overview

This is a text-only promotional-material generation skill whose file output behavior is disclosed and aligned with its purpose.

Install this if you want a Chinese-language helper for creating promotional materials. When using it, choose an output folder in your workspace and confirm before overwriting existing files; expect broad Chinese promotional terms to activate the skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger list includes broad natural-language phrases such as '宣传单', '宣传册', and '宣传海报' that can plausibly appear in ordinary user requests, increasing the chance that this skill activates when the user did not explicitly intend to invoke it. Because the skill also claims authority to read references and produce output files, accidental activation expands the attack surface and could cause unintended file-generation behavior or override a more appropriate skill.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs that generated content will be saved as files and that the user will be told the file location, but it does not clearly warn that invoking the skill may cause file-writing behavior. In an agent environment, undisclosed write operations can surprise users, overwrite artifacts, or create persistent outputs without explicit consent, especially when paired with broad activation triggers.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal