Back to skill

Security audit

伐谋 - 数据分析工具

Security checks across malware telemetry and agentic risk

Overview

This is a data-analysis instruction skill with broad dataset-related triggers, but no hidden code, persistence, credentials, or unrelated access.

Install this if you want help inspecting, cleaning, summarizing, and reporting on uploaded datasets. Because the trigger is broad, it may activate on brief dataset-related requests; review proposed cleaning steps and avoid uploading sensitive files unless you are comfortable having them processed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

High
Confidence
92% confidence
Finding
The skill declares it must be invoked for very broad phrases such as '帮我看看这个数据' or '分析一下' whenever context may involve a file or dataset. This can cause over-triggering, routing unrelated requests into a data-analysis workflow, increasing unintended file access and expanding the skill's operational scope beyond clear user intent. In this context, the risk is amplified because the skill explicitly points to filesystem locations for uploaded files and outputs, so mistaken invocation may expose or process sensitive user data unnecessarily.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.