Back to skill

Security audit

lycx-skill

Security checks across malware telemetry and agentic risk

Overview

This is a low-risk summarization skill, though its trigger wording is broad and its helper script appears to be a simple placeholder.

Install only if you are comfortable with a broadly triggered summarization helper. Expect the bundled Python helper to behave like a demo stub rather than a robust extractor, and avoid using it for sensitive text unless you trust the agent environment handling the content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are broad everyday terms like “总结”, “提炼”, and “要点”, which can match many normal user requests outside a tightly scoped invocation pattern. This can cause unintended skill activation, leading to incorrect routing, surprise behavior, or the skill handling content when another workflow or safety policy should have applied.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.