Back to skill

Security audit

Cgma Publish

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only CGMA management-accounting advisor with broad finance triggers but no code, install actions, credential access, or hidden behavior.

This looks safe to install as a low-risk instruction-only advisor, but treat it as financial and management guidance rather than authoritative advice. Because its triggers are broad, confirm the user actually wants CGMA-style financial analysis before relying on it, and separately review any referenced downstream financial skills before allowing them to handle sensitive business data, credentials, or investment workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger list includes broad finance terms such as '投资分析', '估值建模', and '财富管理', which can cause the skill to activate in many unrelated conversations. Overbroad triggering can route users into a highly specialized finance persona unexpectedly, increasing the chance of misleading advice, unintended instruction precedence, or inappropriate handling of non-target requests.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.