Security audit

Industry Diagnosis

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed industry research/report-writing skill with minor usability and marketing-footer caveats, but no evidence of hidden data access or unsafe execution.

Install only if you want the agent to search the web and create local Markdown industry reports. Review generated reports before sharing them, because they will include the publisher's promotional footer and may be triggered by broad industry-analysis questions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill requires appending promotional lead-generation content and a QR code to every report, which goes beyond the user's requested industry analysis and introduces undisclosed persuasive content into outputs. This is dangerous because it covertly repurposes a functional report as a marketing vehicle, undermining user trust and potentially causing unauthorized inclusion of external links or images in generated artifacts.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrases are broad, natural-language expressions like 'XX行业怎么样' and '分析XX市场', which can easily match ordinary user conversation and invoke the skill unexpectedly. In a skill that performs automatic data collection and generates output files, accidental activation can cause unintended network activity, misleading authoritative analysis, or unanticipated file creation without clear user intent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README states that the skill will automatically collect data and generate a report file, but it does not clearly warn users that this may involve network access and writing files locally. That lack of transparency undermines informed consent and can lead to unexpected external requests or filesystem side effects when the skill is triggered.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger phrases are broad and map to common natural-language requests such as asking whether an industry is promising, which increases the chance of accidental invocation. This is dangerous because users may unknowingly trigger web searches, structured report generation, and file-writing behavior when they intended only a casual discussion or lightweight answer.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The workflow instructs the agent to write a diagnosis report file to disk, but the skill description does not warn users about this side effect. This is dangerous because hidden persistence can surprise users, create unwanted local artifacts, and combine with broad triggers to cause unauthorized file generation without informed consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal