美国市场政策查询Skill

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a query-focused analysis aid, with no artifact-backed evidence of hidden actions, persistence, credential theft, or destructive behavior.

Before installing, treat outputs as research assistance rather than financial, legal, or policy advice. Avoid sharing confidential business plans or personal financial details unless you understand where the skill sends data, and give explicit, bounded prompts when using it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The README shows very broad natural-language invocations such as asking the agent to analyze U.S. business, policy changes, or investment risk without defining clear activation boundaries, authorized data sources, or scope limits. In an agent ecosystem, ambiguous triggers can cause over-broad skill activation, unintended delegation, or use in contexts the user did not specifically intend, increasing the chance of data exposure or unsafe automated actions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal