Back to skill

Security audit

铜锣湾神婆打小人

Security checks across malware telemetry and agentic risk

Overview

This is a local novelty chant skill, but it overreaches by forcing broad activation and unfiltered targeted curse output.

Install only if you intentionally want this specific ritual roleplay and are comfortable with hostile named-target content. The main risk is not malware behavior; it is overbroad routing and instructions that try to bypass normal safety review for abusive or harassment-like outputs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill states it must not produce legally prohibited personal attacks or extreme curses, yet its own ritual content includes direct hostile invocations against a target and harmful wishes such as injury, humiliation, and failure. In context, this is more dangerous because the skill is specifically designed to be invoked during user anger or grievance, increasing the likelihood of weaponized harassment toward identifiable people.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
Although framed as emotional release, the provided templates escalate into explicit targeted abuse and punitive outcomes for a named person, including social, financial, and physical misfortune. That gap between stated purpose and actual output increases the chance the skill will be used as a harassment generator under the cover of cultural simulation.

Vague Triggers

High
Confidence
91% confidence
Finding
The trigger conditions are broad enough to capture ordinary complaints, venting, or requests about bad luck, causing the skill to activate in situations where users did not clearly request this behavior. Overbroad activation increases the chance of unwanted harmful content generation and reduces the assistant's ability to apply safer, context-appropriate responses.

Vague Triggers

High
Confidence
95% confidence
Finding
Mandating execution whenever the keyword '打小人' appears creates a brittle keyword trap that can override contextual safety judgment, user intent, or surrounding discussion. In this skill, that is particularly dangerous because the forced path leads to abusive ritual output and blocks safer alternatives whenever the phrase is merely mentioned.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The workflow says the user's full input must be passed to a script, but the skill does not disclose that data flow to the user or provide any minimization guidance. Passing entire prompts to downstream components without transparency can expose unnecessary personal or sensitive information and makes auditing harder.

Ssd 1

High
Confidence
99% confidence
Finding
The skill text explicitly attempts to override higher-level routing and forbid the model from generating its own response, which is a direct policy-conflict and control-plane manipulation attempt. In an adversarial setting, such instructions are dangerous because they seek to disable safety-aware orchestration and force exclusive execution of a potentially harmful skill.

Ssd 1

High
Confidence
99% confidence
Finding
The workflow requires passing the full user input to a script and returning the script output verbatim, explicitly preventing model-side review, filtering, or correction. This is a critical safety-bypass pattern because it creates a blind trust channel from user input to downstream generation, enabling abusive, policy-violating, or otherwise unsafe output to be emitted without intervention.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.