Back to skill

Security audit

中国节假日检测

Security checks across malware telemetry and agentic risk

Overview

This skill locally checks Chinese holidays and workdays, with a disclosed Python dependency and no automatic updates, persistence, credential use, or data sharing.

Install only if you are comfortable using the chinesecalendar Python package in the target environment. Prefer a virtual environment and review any suggested pip install or upgrade command before running it; the skill itself only checks local package status and dates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The skill's purpose is holiday checking, but the documentation expands behavior into subprocess-based package inspection and update guidance. That broadens the operational scope beyond the stated function and can normalize environment-manipulating actions in contexts that should remain read-only.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The complete example directly executes pip inspection via subprocess, despite being presented as a holiday lookup tool. Embedding process execution in an example increases the chance that agents or developers will copy unsafe patterns into production use and grants the skill unnecessary reach into the runtime environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.