Lucky Wallpaper Generator

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do what it says, but it can publish to a social platform and save generated output with unclear confirmation and retention boundaries.

Install only if you want the agent to help operate a logged-in Xiaohongshu/social account. Use dry-run or review mode first, inspect the exact content and destination account, and require an explicit confirmation before any publish action. Also check where generated files are saved and remove drafts or reports that should not persist.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill advertises '自动发布：对接小红书发布流程' without any visible warning, consent step, or explanation that content may be transmitted to an external platform. In an agent context, undocumented external posting can cause unintended data disclosure, unwanted account actions, and reputational harm if the agent publishes on the user's behalf.

Missing User Warnings

Low

Confidence: 79% confidence
Finding: The workflow states that generated outputs are saved to a directory, but does not clearly warn users that files will be created on disk or explain where data will persist. While less severe than external posting, undocumented file creation can surprise users, consume storage, and leave potentially sensitive or proprietary generated content behind on the local system.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal