Back to skill

Security audit

链企投标文件生成

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate bid-document assistant, with clear warnings that it uploads selected procurement files to its service and stores an account key locally.

Install only if you are comfortable sending tender and bid documents to biaoshu.zhiliaobiaoxun.com, where results are retained for a limited period under your App Key account. Keep the App Key out of chat, verify any custom ZCM_BASE setting before use, and confirm billing/points before generating final bid documents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

High
Confidence
95% confidence
Finding
The skill mandates use for broadly defined bidding-related requests ('must use this skill') without meaningful exclusions or user opt-in. That can coerce routing of many ordinary requests into a workflow that uploads sensitive procurement and bid documents to a third-party server, increasing privacy and data-exposure risk beyond what the user may expect.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The skill requires verbatim Chinese output and specific scripted wording regardless of user language preference. This can impair informed consent and accurate comprehension of security-relevant disclosures, especially for App Key handling, file-upload warnings, billing, and data retention, if the user does not read Chinese well.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.