Utf8 Time

Security checks across malware telemetry and agentic risk

Overview

This is a small time-display skill whose code only prints the current local time, with the main caveat that its activation phrases are broader than necessary.

This appears safe to install if you want a simple current-time helper. Be aware that the trigger "now" may invoke it when you did not specifically ask for the time; a tighter trigger such as "current time" or "what time is it" would be preferable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger `now` is overly broad and commonly appears in ordinary conversation, so this skill may activate in many contexts unrelated to asking for the current time. That can cause unintended invocation, incorrect routing, or prompt/skill hijacking behavior where this skill preempts more appropriate handling.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: Describing activation as monitoring for `time-related keywords` implies a broad and weakly constrained match strategy that can fire on many unrelated utterances. In an agent environment, overbroad keyword activation increases accidental invocation and can interfere with correct skill selection, making behavior less predictable and easier to manipulate.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal