ClawHub

全国招中标信息、政府采购项目查询-保标招标

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed tender-search integration that sends user search terms to its stated bid-data API using an API key.

Install this only if you are comfortable sending tender-search terms, company names, locations, bid IDs or URLs, and similar business research inputs to the stated Biaozhaozhao/Zhiliaobiaoxun API. Avoid entering secrets, regulated personal data, or confidential deal strategy as search terms, and keep the ZLBX_API_KEY scoped and rotated according to the provider's guidance.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill performs network access and reads credentials/environment-backed configuration, but no explicit permission declaration is present in the manifest. This can undermine informed consent and platform policy enforcement because users may install a research skill without realizing it transmits data and uses secrets.

External Transmission

Medium
Category
Data Exfiltration
Content
"pageNumber": 20
}

response = requests.post(url, json=payload)
data = response.json()

if data.get("code") == 200:
Confidence
95% confidence
Finding
requests.post(url, json=

External Transmission

Medium
Category
Data Exfiltration
Content
if area_name: payload["areaName"] = area_name
    if search_field: payload["searchField"] = search_field
    
    response = requests.post(url, json=payload, timeout=30)
    return response.json()
```
Confidence
96% confidence
Finding
requests.post(url, json=

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal