可转债打新助手

Security checks across malware telemetry and agentic risk

Overview

This skill does not show malware behavior, but it advertises actionable financial analysis while relying on mock data and broken code.

Review carefully before installing. Treat this as a demo or educational sample, not a trading assistant: verify all dates, prices, alerts, and investment decisions against official exchange, broker, or issuer sources.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger phrases are generic financial terms like '转债分析' and '可转债打新', which may activate the skill during ordinary investment discussions rather than an explicit request to use this tool. Overbroad invocation can cause unintended execution, unnecessary network calls, and accidental disclosure of user context to the skill workflow.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal