Back to skill

Security audit

外贸工厂询盘全流程 Agent

Security checks across malware telemetry and agentic risk

Overview

This is a Markdown-only trade inquiry and quotation helper, with no code, installs, credential access, storage, or automatic external actions.

Safe to install as a prose/template skill. Review generated prices, Incoterms, payment terms, bank details, legal/customs claims, and translated customer-facing text before sending, and avoid pasting unnecessary sensitive customer or contract data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation description is overly broad and can cause the skill to trigger for generic trade-related conversations, not just clear requests for external-trade inquiry handling. Overbroad routing can expose user content to the wrong workflow, produce irrelevant business actions, and increase the chance of unintended data collection or misleading automation.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
The skill description presents bilingual Chinese-English output as mandatory rather than user-selected. Forcing dual-language output can cause unnecessary disclosure, reduce user control, and create compliance or confidentiality issues when the user only wants one language or is working with sensitive draft content.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The workflow requires bilingual quotation output and says it can be directly copied and sent, without user opt-in or review gates. In a trade and quoting context, this increases the risk of sending inaccurate, unintended, or over-disclosed commercial terms to customers in a second language the user did not request.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.