Back to skill

Security audit

Persona Switcher

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a coherent persona switcher, but it asks agents to use sensitive local financial holdings and persistent self-improvement files without clear user consent or tight controls.

Review this skill before installing if you keep financial holdings locally or use self-improvement files. Install only if you are comfortable with automatic persona switching, web searches for domain advice, reading the named positions file for portfolio context, and persistent learning records; consider requiring manual confirmation before any financial-data read or promotion into agent behavior files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The 'Live test' section adds an instruction to look for a marker flag that is unrelated to the documented persona-routing purpose of the skill. In an agent skill, unrelated lookup behaviors can be used to probe the filesystem or exfiltrate hidden markers/secrets, especially when framed as a setup test, so this expands capability beyond least privilege.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list is overly broad for an auto-switching persona system, including many generic finance and macro terms that can appear in ordinary conversation. This can cause unintended activation of the asset-advisor persona, leading the agent to give financial guidance in the wrong context or before establishing user intent, which is especially sensitive in a domain involving investment decisions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly states it will read a local holdings file to relate advice to the user's portfolio, but it does not clearly disclose this access to the user or obtain consent first. Accessing sensitive financial data without transparent notice and permission creates a privacy and trust risk, and in this context the data is highly sensitive because it reveals assets, positions, and financial behavior.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list is very broad and includes many generic programming terms such as '代码', 'Python', 'bug', and '实现'. In a persona-switching system, this can cause the code-expert persona to activate during ordinary conversation, overriding user intent or routing requests into a more privileged or tool-using behavior path than intended.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The persona content is entirely in Chinese and the initial prompt template assumes Chinese interaction without offering a language choice. This can mis-handle non-Chinese users, reduce transparency, and cause incorrect persona behavior or unsafe misunderstandings if the agent applies the persona despite the user's language preference.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list is broad and includes very common academic terms such as '数据', '结论', '摘要', and '导师', which can cause unintended persona activation during ordinary conversations. In a persona-switching system, accidental routing can change tone, advice style, and tool usage expectations, leading to inappropriate behavior or reduced reliability even without malicious intent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.