Back to skill

Security audit

围棋棋谱数据库

Security checks across malware telemetry and agentic risk

Overview

This is a local Go game-record database tool, but it includes under-documented destructive database actions and unrestricted export file writes that users should review carefully.

Install only if you are comfortable with a local CLI that can modify, export, and permanently delete its own game-record database. Keep backups of `~/.weiqi-db/database.json`, review any proposed `delete`, `clear`, `overwrite`, `update`, `tag`, or `get -o` command before running it, and avoid export paths that point at important existing files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
81% confidence
Finding
The example trigger phrases are broad natural-language requests such as finding a player's games or getting an SGF, which can overlap with ordinary conversation. If the platform uses these examples for routing or activation, the skill may trigger unintentionally and cause unintended local database reads, metadata changes, tagging, deletion, or file exports without the user intending to invoke this specific tool.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.