Back to skill

Security audit

jp-device-skill

Security checks across malware telemetry and agentic risk

Overview

This skill is only a placeholder response today and does not include code that can access vehicles, location, accounts, or device data.

Installing this version should not grant meaningful access. Re-review any later version that adds real JinPeng device connectivity, vehicle location, ride-history export, or parameter changes, and expect clear ownership verification, user consent, and privacy handling before real telemetry is exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill description advertises access to sensitive telemetry such as vehicle location, real-time status, remaining battery, ride mileage, ride tracks, and data export, but provides no notice about privacy sensitivity, authorization requirements, or user-consent boundaries. Even though the file says the skill currently only returns a placeholder response, documenting these capabilities without safeguards normalizes potentially privacy-invasive behavior and could lead to unsafe implementation or user deception later.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.