Security audit

INS 情绪内容（含Meme）

Security checks across malware telemetry and agentic risk

Overview

This is a marketing-copy skill for FridayParts Instagram posts, with no executable code, credential access, persistence, or hidden data handling.

Install this if you want a FridayParts-focused Instagram content assistant. Review or narrow the triggers if your environment has many creative-writing skills, and expect outputs to default to English unless you edit the prompt.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger list includes broad, common terms such as 'instagram', 'meme', 'reel', and '表情包', which can cause the skill to activate in unrelated conversations. In an agent environment, unintended activation can override user intent, inject brand-specific behavior, or cause inappropriate content generation when the user did not ask for this skill.

Natural-Language Policy Violations

Medium

Confidence: 80% confidence
Finding: The skill explicitly mandates '全部英文输出' regardless of user language or preference. While not a classic security flaw, this can create prompt-priority conflicts and unsafe usability behavior by causing the agent to ignore user instructions, which is especially problematic in multilingual environments.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger list includes broad, common terms such as "meme," "reel," and Chinese slang like "段子," which can cause the skill to activate for unrelated user requests. That creates prompt-routing risk: benign conversations about general social media content may be steered into this branded marketing behavior unexpectedly, reducing user control and increasing the chance of off-target content generation.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The use-when description is broad and underspecified, covering generic Instagram content, memes, reels, and jokes without clear limits. In a multi-skill environment, this ambiguity can cause unintended invocation on ordinary creative requests, leading to irrelevant branded outputs or suppression of more appropriate skills.

Overly Broad Trigger

Low

Category: Trigger Abuse
Confidence: 92% confidence
Finding: The trigger '段子' is very short and semantically broad, making accidental invocation likely in many unrelated Chinese conversations about jokes or humorous content. In a skill-routing system, this increases the chance of misfiring and producing branded or off-target outputs without sufficient user intent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.