天天Skills

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only fund-information lookup that uses a user-provided 天天基金 API key to call the declared service.

Install only if you are comfortable configuring TTFUND_APIKEY for this skill and having that key sent to the 天天基金 skill gateway when you ask for fund information. Use a dedicated or limited-scope key if available, and treat returned fund data as informational rather than investment advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The example trigger phrases are broad enough to overlap with ordinary user conversation, which can cause unintended invocation of the skill and transmission of user-supplied fund identifiers or related context to an external service. In this skill, accidental activation is more concerning because it is wired to a remote API and encourages use of a locally configured API key, increasing the chance of unintended outbound requests.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal