Bailian Ai Toolkit

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Alibaba Cloud AI CLI helper, but local files provided to it may be uploaded for cloud processing.

Install only if you trust the external bailian-cli package and Alibaba Cloud/Bailian services with the prompts and files you provide. Treat local file paths as remote uploads, avoid confidential or regulated data unless approved, and use a dedicated limited-scope API key where possible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill prominently advertises that commands accepting URLs also accept local file paths and that the CLI will automatically upload them, but it does not present this as a privacy/security warning to the user. In a high-priority default tool, this can cause users or downstream agents to send sensitive local files to a remote service without informed consent, especially when prompts or examples normalize passing local paths directly.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal