Security audit

PV String design 光伏组串设计

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only solar PV design helper; its broad triggers and location-based weather lookup deserve care, but the artifacts do not show hidden access, code execution, persistence, or data mutation.

Install only if you want an agent to help with PV string sizing. Be aware that project location may be used for weather or temperature lookup, and verify equipment datasheets, weather sources, local code requirements, and final designs with a qualified professional before implementation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The auto-trigger list includes broad phrases such as "光伏系统设计" and related generic design terms, which can match ordinary discussion and cause the skill to activate unexpectedly. In an agent setting, over-broad activation can route unrelated user requests into a specialized calculation workflow, leading to incorrect outputs, unnecessary tool use, or unintended access to external lookups such as location-based temperature queries.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The skill description advertises automatic triggering for broad photovoltaic design requests without defining narrow eligibility checks or explicit exclusion criteria. In an agent setting, this can cause the skill to activate during general discussion, leading to unintended tool behavior, incorrect assumptions, or premature structured calculations based on incomplete user input.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The keyword list includes generic phrases such as photovoltaic system design, inverter matching, and how to string panels, which may overlap with routine advisory conversations. Because the skill performs authoritative engineering calculations and recommendations, accidental invocation could produce unsafe or misleading outputs if context, locale, or equipment parameters are incomplete.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.