A Mathematics Problem-Solving Coach Skill Based on Socratic Dialogue Guidance

Security checks across malware telemetry and agentic risk

Overview

This is a simple math tutoring prompt skill with no code, data access, persistence, or privileged behavior.

Install it for math tutoring if Chinese-language instructions are acceptable in your environment. Be aware it may activate for math-related student questions, and avoid sharing sensitive student information unless your host environment is approved to handle it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger condition '在对话中当学生询问数学问题时自动触发' is very broad and lacks clear scope, consent, or disambiguation rules. In an agent environment, this can cause the skill to activate on loosely related conversations, leading to unintended handling of user input, incorrect interception of other tasks, or unnecessary exposure of conversation context to the skill.

Natural-Language Policy Violations

Medium

Confidence: 76% confidence
Finding: The README describes the skill entirely in Chinese and does not document whether language selection is based on user preference, locale, or an explicit configuration. While not a classic security flaw, forced language behavior can create usability and policy issues in multi-user or multilingual environments, increasing the chance of misunderstanding instructions, mishandling user intent, or bypassing expected localization controls.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal