防偷工减料质量守卫系统

Security checks across malware telemetry and agentic risk

Overview

The available evidence shows no malware detections or concrete artifact-backed unsafe behavior; the main concern is broad activation wording that users should invoke deliberately.

Reasonable to install based on the available evidence. Use explicit requests when invoking it, and review any prompts that would write memory, change workflow rules, or persist agent behavior before allowing those actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The quick-start phrases are generic imperatives that can activate the skill in a wide range of normal conversations without explicit user intent to invoke this specific workflow. In an agent environment, broad triggers can cause unintended execution of guard logic, memory-writing behaviors, or workflow changes based on loosely matching requests, which is a prompt-surface and control-flow risk even if the skill is safety-oriented.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal