Content Creation Helper

Security checks across malware telemetry and agentic risk

Overview

This is a finance-content writing aid with no credential use, network access, persistence, or hidden execution behavior found.

Installers should treat this as a drafting/template helper, not financial advice. Provide verified market data yourself, confirm the intended platform and language, and review outputs for compliance, accuracy, and clear risk disclaimers before publishing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger guidance is broad enough to activate on generic social-media copywriting requests, which can cause the agent to inappropriately route unrelated prompts into a finance/trading content workflow. In practice this creates scope confusion and raises the chance of generating regulated or risky financial content when the user did not explicitly ask for it, especially because the rest of the skill strongly biases toward trading-oriented outputs.

Natural-Language Policy Violations

Medium

Confidence: 81% confidence
Finding: The skill metadata and content assume Chinese-language output and Chinese platforms without checking the user's preferred language or confirming platform intent. This can cause unintended language switching, user confusion, and misalignment with the actual request, though it is more of a safety/UX scoping issue than a direct security flaw.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal