China Content Research

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do what it says: collect and archive article or market-intelligence content, with no evidence of hidden exfiltration or destructive behavior.

Install only if you are comfortable sending collected article content and related metadata to the configured storage or API services. Limit collection to content you have permission to process, avoid storing personal data unnecessarily, and set retention rules for archived material.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill explicitly supports extracting and archiving WeChat articles and engagement data, but it does not present clear user-facing privacy, consent, retention, or lawful-use warnings beyond a brief generic guardrail. In a market-intelligence context, this can normalize collection and storage of third-party content and interaction data without adequate limits, increasing risk of privacy violations, terms-of-service breaches, and improper downstream use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal