雄韬企业头条助手

Security checks across malware telemetry and agentic risk

Overview

This skill is a corporate copy and poster assistant with disclosed local brand settings and expected rendering dependencies, though users should treat stored business details and optional image-generation prompts carefully.

Before installing, decide whether company names, customer details, brand tone, unpublished announcements, or visual prompts are appropriate to store in `.company-headlines/brand-card.md` or send through any Gemini/image-generation workflow. Back up the brand card before rerunning configuration if it has been customized.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 92% confidence
Finding: The skill states that it automatically saves a brand configuration file to `.company-headlines/brand-card.md`, but this persistence behavior is not surfaced as a clear user warning or consent step. Undisclosed local writes can surprise users, persist sensitive business/branding information, and create privacy or data-handling issues in shared workspaces.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal