AI 生产力工具助手

Security checks across malware telemetry and agentic risk

Overview

This skill coherently controls a local media-generation client, but prompts and reference images may be forwarded by that client to AI services.

Install only if you trust the DYU local client and its configured gateway/SK. Avoid submitting secrets, confidential images, private internal URLs, or sensitive prior task history unless that external AI-service flow is acceptable, and review large batch requests before submitting them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation states that requests are sent to a local client proxy which then forwards prompts and image URLs to an external AI service, but it does not clearly warn that user-supplied content leaves the local machine. In this skill’s context, users may assume localhost processing is private; that misunderstanding can lead to unintentional disclosure of sensitive prompts, images, or internal URLs.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal