Vague Triggers
High
- Confidence
- 96% confidence
- Finding
- 该技能将触发范围定义为几乎所有编写、修改、审查、重构、解释代码的场景,属于明显的过度匹配。过宽的自动触发会让注释风格规则覆盖与其无关或仅部分相关的任务,进而干扰主任务要求,放大错误改写、误删说明性注释或违背用户明确指令的风险。
Code Comment
Security checks across malware telemetry and agentic risk
Overview
This is a disclosed comment-cleanup skill that is broad and opinionated, but it does not install code, request secrets, or add hidden runtime behavior.
Install this only if you intentionally want coding-task outputs to rewrite comments into concise Chinese. Review diffs carefully and give explicit instructions to preserve license notices, generated-file markers, lint directives, public API documentation, TODOs, and any repository-required English or mixed-language comments.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)
Natural-Language Policy Violations
Medium
- Confidence
- 92% confidence
- Finding
- 技能元数据直接声明“确保输出的代码注释符合…纯中文”,会在未征得用户同意的情况下强制改写注释语言。这会导致与项目既有语言规范、团队协作约定或用户显式要求冲突,尤其在英文代码库、国际化团队或需要保留原注释语言的场景中风险更高。
Natural-Language Policy Violations
Medium
- Confidence
- 94% confidence
- Finding
- 正文再次以规则形式要求“所有英文注释、中英夹杂注释,全部转换为地道纯中文”,进一步强化了无条件语言改写。由于这是直接作用于代码输出的硬约束,技能一旦被触发,就可能系统性破坏现有仓库注释规范、文档一致性以及跨团队可读性。
VirusTotal
66/66 vendors flagged this skill as clean.