Security audit

警察执法资格考试助手

Security checks across malware telemetry and agentic risk

Overview

This appears to be a normal exam-study helper with accuracy and broad-trigger caveats, not evidence of hidden control, data theft, or destructive behavior.

Install only if you are comfortable with a Python-based study helper that uses bundled exam data and includes a web article-fetching module. Treat exam and legal content as unofficial, verify important requirements against official sources, and avoid feeding the web-fetch helper internal or private URLs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 87% confidence
Finding: fetch_weixin_article accepts an arbitrary URL and performs a live HTTP request with no validation, allowlist, or warning. In an agent or plugin context, this can enable server-side request forgery behavior, allowing the skill to reach internal services, cloud metadata endpoints, or other unintended network targets if user-controlled input reaches this method.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal