requirement-analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only requirements-analysis helper with broad activation wording but no code execution, credential access, persistence, or hidden data movement.

Install this if you want help converting rough product requirement notes into a fixed Chinese requirements-analysis document. Be aware it may activate on broad business-planning text, so review when it triggers and avoid providing confidential business details unless you are comfortable using them in the agent session.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

High

Confidence: 96% confidence
Finding: The skill explicitly says it should trigger not only for direct requirement-analysis requests, but also whenever input merely contains business background, pain points, or feature ideas. That broad scope can overlap with ordinary discussion and cause unintended activation, leading the agent to steer conversations into structured requirement drafting when the user did not ask for it. In this context, the danger is policy and workflow misrouting rather than code execution, but it can still cause incorrect handling of user intent and leakage of contextual business information into the wrong processing path.

Natural-Language Policy Violations

Medium

Confidence: 88% confidence
Finding: The rule '默认输出中文文档' creates a locale bias that can override the user's actual language preference or a higher-level system policy. While not a classic security flaw, it can cause policy noncompliance, user confusion, and mishandling of multilingual workflows, especially in environments where output language affects downstream review, logging, or regulatory handling.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal