Security audit

承运商指数查询

Security checks across malware telemetry and agentic risk

Overview

This skill appears to perform the carrier-index analysis it claims, with no hidden code or persistence found.

Install only if you are authorized to use the carrier spreadsheet and Jingwe portal. Provide a narrow file path, verify the carrier and date before running, and only trigger the download when you intend to retrieve anomaly details from that portal.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The activation condition is vague enough that the skill may trigger on loosely related user requests about carriers or logistics scores without clear user intent to access local files or perform downstream web actions. In this skill's context, ambiguous activation is more dangerous because the workflow includes reading local Excel/CSV data and initiating external site interactions, which can cause unintended data access or transfer.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs reading local .xlsx/.csv files and interacting with HTTP web resources, including download behavior, without any notice, consent flow, trust validation, or data minimization safeguards. This is dangerous because potentially sensitive business data from local files and query parameters such as carrier name and date could be exposed to external services or trigger unintended downloads, especially since the referenced URLs use insecure HTTP rather than HTTPS.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal