张洪Heo博客助手

Security checks across malware telemetry and agentic risk

Overview

This is a public blog assistant that fetches and searches Zhang Hong Heo blog content, with no evidence of hidden code, credentials, persistence, or destructive behavior.

Install this if you want a helper for Zhang Hong Heo's blog. Configure your agent to use it only when the request clearly refers to that blog or its site assistant, because generic requests about blogs, bloggers, or article search could otherwise be routed to the external site.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger list includes generic terms like “博客”, “博主”, and especially “Heo”, which are broad enough to match many unrelated user requests and cause accidental skill invocation. Over-broad activation increases the chance of unnecessary browsing or external requests being performed in contexts the user did not intend.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The instruction “用户要求与智能体聊天或搜索文章时使用此 skill” is ambiguous because it does not require that the user be referring specifically to 张洪Heo’s blog or assistant. That ambiguity can route unrelated requests into this skill, causing unintended site access, search, or data retrieval from external services.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal