Back to skill

Security audit

Deepin Desktop Control

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Deepin desktop administration reference, but it exposes high-impact account, boot, and package-management commands without clear safety gates.

Install only if you want an agent to help administer a Deepin/UOS desktop through system D-Bus. Treat account, bootloader, package install, time, network, and security-setting commands as privileged actions: review each command before execution and require explicit confirmation for any change, especially user deletion, group edits, Grub changes, or package installs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This section documents privileged account-management operations such as creating and deleting users and groups, and enabling guest access, without any safety guardrails, confirmation requirements, or warning text. In an agent skill context, such ready-to-run root-level commands materially increase the risk of accidental privilege changes, account lockout, or unauthorized persistence if the agent is induced to execute them.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill presents bootloader modification and package installation commands with no warnings about system integrity, persistence, or recovery implications. In an automation/agent setting, changing Grub or installing packages can create durable system changes, break boot, or introduce privileged software changes from a simple prompt injection or user misunderstanding.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.