招投标助手（Bid Assistant）

Security checks across malware telemetry and agentic risk

Overview

This is a coherent bid-document assistant, but users should treat tender files and company materials as sensitive before uploading them.

Install only if your organization allows AI processing of tender, pricing, customer, qualification, personnel, and historical bid materials. Use redacted or approved files for demos, confirm Feishu/Hermes storage and retention settings, and keep final bid decisions, pricing, commitments, stamping, and submission under human control.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The demo script instructs users to upload tender documents and related work designs to the assistant, but it provides no warning about confidentiality, customer data, pricing strategy, or procurement-sensitive information. In a bidding context, these files often contain proprietary and restricted business material, so normalizing blind upload behavior can lead to unintended data exposure or policy violations.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal