yanyun1988 雪球整理

Security checks across malware telemetry and agentic risk

Overview

This is a static investment-commentary skill with financial-risk caveats, but it does not request credentials, run code, access accounts, or perform trades.

Install only if you want opinionated, persona-based stock commentary. Treat outputs as informational analysis, not personalized financial advice; verify facts independently, be cautious with rumors or dated market claims, and do not rely on it to decide trades without your own research or a licensed advisor.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger condition is broad enough that ordinary mentions of “燕云1988” or related concepts may activate the skill without clear user intent. In this context, accidental invocation is risky because the skill delivers strong, opinionated stock commentary that could steer financial decisions unexpectedly.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill provides extensive, highly specific securities analysis, target framing, and trading-style guidance but does not warn users that outputs are commentary rather than financial advice. Because the content is detailed, authoritative, and includes portfolio positions, timing views, and buy/hold/sell logic, users may over-trust it and act on risky or unsuitable investment recommendations.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal