Security audit

Xiao Chuang You Geography

Security checks across malware telemetry and agentic risk

Overview

This looks like an informational travel or geography skill with overly broad activation terms, but no evidence of harmful access or hidden behavior.

Install only if you want a broad travel/geography assistant. Be aware it may activate for general city or current-affairs questions where a weather, news, or specialized local-information skill would be a better fit.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

High

Confidence: 96% confidence
Finding: The skill description and activation scope are broad enough to match many ordinary travel, city, weather, history, and geography queries, which can cause over-activation outside the intended niche. This is dangerous because an over-triggering skill can hijack routing, suppress better-matched skills, and increase the chance that users receive incomplete or biased responses constrained by this skill's rules.

Vague Triggers

High

Confidence: 99% confidence
Finding: The explicit trigger list includes highly ambiguous terms such as common city names, general travel words, and broad concepts like weather, politics, economy, and future, with no boundary conditions. In a multi-skill system this materially increases unintended activation and prompt-scope capture, allowing this skill to answer many unrelated queries and potentially override safer or more specialized skills.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal