Rd Cost

Security checks across malware telemetry and agentic risk

Overview

This is a single-file Chinese R&D cost budgeting skill with no executable code, persistence, credential use, or hidden data flow.

Safe to install from a security perspective. Use it for drafting R&D cost and budget reports, but avoid treating its compliance conclusions as final tax advice and review any sensitive salary, budget, or project data before sharing it with an agent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill instructs the agent to '务必使用此技能' for a broad class of budgeting, ROI, feasibility, and cost-analysis requests, creating an over-broad routing rule that can override better-suited tools or general reasoning. In an agent system, this can cause inappropriate activation, reduce user choice, and funnel loosely related financial requests into a rigid template with fixed assumptions, producing misleading or non-compliant outputs.

Natural-Language Policy Violations

Medium

Confidence: 82% confidence
Finding: The skill description and required output template are effectively Chinese-only and do not offer a language-selection mechanism. This is risky because it can cause the agent to ignore the user's preferred language, reduce transparency for non-Chinese-speaking users, and increase the chance of misunderstanding in financial/compliance contexts.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal