Back to skill

Security audit

wpf-developer

Security checks across malware telemetry and agentic risk

Overview

This is a simple WPF development guidance skill with no executable code, hidden access, or persistence.

Safe to install as a WPF coding assistance skill. Users who do not read Chinese may prefer a translated or language-adaptive version, and any generated WPF code should still be reviewed before use in production.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger condition is extremely broad, covering essentially any WPF-related request from architecture to debugging. This can cause the skill to activate on routine conversations where the user did not explicitly request this specialized skill, leading to unintended routing, over-collection of context, or inappropriate responses. In this context it is not directly exploitative, but it does increase the chance of misfires and policy bypass through overbroad matching.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The skill is written entirely in Chinese and implicitly frames outputs in that language without offering user-language negotiation. This can cause responses to be produced in a language the user did not request, creating usability issues, misunderstanding of technical instructions, and accidental disclosure or mishandling if users rely on incorrect interpretation. The risk is limited because this is primarily a UX and safety-quality issue rather than a direct security exploit.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.