Back to skill

Security audit

Quanyu Tech Director

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Chinese-language project coordination workflow that delegates engineering tasks and keeps a local task tracker, with no executable code or hidden data access found.

Install this if you want a Chinese-language engineering coordination workflow that delegates implementation to agents and maintains TASK-TRACKER.json. Review the trigger wording first if you prefer explicit confirmation before agent dispatch or tracker updates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill description says it activates whenever the project manager assigns tasks, tracks progress, handles timeouts, or reports results, which are broad operational situations rather than tightly scoped triggers. In an agent system, this can cause over-activation and unintended takeover of normal workflow decisions, increasing the chance the skill is invoked in irrelevant contexts and imposes its rigid delegation behavior where it does not belong.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.