Security audit

围棋记谱工具

Security checks across malware telemetry and agentic risk

Overview

This skill is a local browser-based Go/weiqi game recorder whose files match its stated purpose and do not show network access, credential handling, or hidden automation.

Install this when you specifically want a Go/weiqi notation web tool. It runs locally in the browser, saves game state in localStorage, and can copy or download SGF records when you use those controls; ambiguous requests for a generic recording or notation tool should be confirmed first.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger list includes generic phrases such as “给我记谱” and “发记谱工具”, which are broad enough to activate the skill in conversations where the user may not specifically want this exact local HTML tool. Over-broad activation can cause unintended skill invocation and delivery of executable local content, increasing the chance of confusing, irrelevant, or unsafe tool exposure even though the skill itself appears offline and non-networked.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal