A股客户会前准备助手

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent A-share meeting-briefing helper with some activation and sharing caveats, but no hidden code, persistence, or unsafe install behavior was found.

Install this if you need A-share investor meeting preparation. Invoke it with a specific company name or ticker, verify all cited financial data, and review the brief before sending it to Tencent Docs, email, WeChat, DingTalk, or any shared workspace.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger list includes broad, common phrases such as “客户背景” and “meeting prep,” which can match ordinary user conversations and cause the skill to activate unintentionally. In this context, accidental activation can lead to unnecessary collection of company, meeting, and briefing-related context, increasing the risk of unintended data exposure or confusing skill routing.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The workflow offers syncing generated briefings to Tencent Docs for team sharing, but the skill metadata and user-facing description do not clearly warn users that content may be transmitted to a third-party collaboration platform. Because the generated briefings may include sensitive meeting plans, research focus areas, or client-related context, silent or insufficiently disclosed syncing creates a meaningful confidentiality and data-governance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal