Security audit

保险顾问助手Pro

Security checks across malware telemetry and agentic risk

Overview

This insurance-advice skill is coherent, but it asks for sensitive health and financial details and can place them into Feishu documents without enough privacy and storage safeguards.

Use only in an approved insurance-client workflow. Get explicit client consent before entering health, family, income, debt, or policy details; avoid unnecessary identifiers; do not generate Feishu documents unless the workspace and sharing permissions are approved; and store any customer archive only under your organization’s privacy, security, and retention rules.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill is designed to collect highly sensitive personal, financial, and health information through multi-turn KYC and underwriting-style questioning, but it does not present an upfront privacy notice, consent mechanism, retention statement, or data-use disclosure before collection starts. In this context, the absence of a clear warning is more dangerous because the data includes medical history, family history, income, debt, and insurance status, which can cause serious privacy harm or regulatory exposure if mishandled.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill instructs generating Feishu documents containing customer insurance analysis and example payloads with detailed personal, health, and financial data, but it does not clearly warn users that their data may be transmitted to an external platform. This is particularly risky because the generated reports aggregate sensitive information into a shareable document, increasing the chance of unauthorized disclosure, third-party retention, or cross-system privacy noncompliance.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The SOP instructs collection of highly sensitive personal, health, and financial data, including medical history, family disease history, income, debt, and insurance status, but provides no privacy notice, data minimization guidance, retention limits, access controls, or consent requirements. In an insurance-advisor context, this increases the risk of over-collection, unauthorized disclosure, regulatory noncompliance, and downstream misuse of especially sensitive health data.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal