Bid Compliance Check

Security checks across malware telemetry and agentic risk

Overview

This skill guides bid-document compliance review and shows no code, hidden transfer, persistence, or destructive behavior, though it may process sensitive procurement files.

Safe to install for intended bid or tender compliance review. Because procurement documents may be confidential, use it only when you mean to run a structured review and avoid attaching sensitive files unless that review is intended.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger phrases are broad natural-language requests such as '帮我核对一下标书' and '帮我看看标书有没有漏的', which can match routine conversation without strong gating. This can cause unintended skill activation on sensitive procurement documents, leading to over-collection, misrouting of user inputs, or workflow execution when the user did not explicitly request this compliance-check behavior.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The manifest description advertises multiple broad trigger terms without defining when the skill should or should not activate. In a system that routes based on description text, this increases the chance of accidental invocation and exposure of potentially confidential bid materials to the wrong skill path.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal