Back to skill

Security audit

My Skill

Security checks across malware telemetry and agentic risk

Overview

This is a low-risk instruction-only skill, but its weather description does not match its Feishu chat-test instructions.

Before installing, confirm whether this is intended to be a weather lookup skill or a Feishu bot test skill. It does not show dangerous behavior, but the publisher should align the name, description, and instructions so users know what capability they are enabling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill manifest repeatedly advertises a weather-fetching capability, while the body describes a generic Feishu chat/test skill. This mismatch can mislead reviewers, users, or orchestration systems about what the skill is supposed to do, weakening trust and making it easier to hide unintended behavior behind inaccurate metadata.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation guidance is broad enough to imply the bot can be triggered generally in group chats or private chats without clear constraints. Overly broad trigger descriptions can cause unintended activation, ambiguous routing, or accidental exposure of the skill in contexts where it was not meant to run.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.