Back to skill

Security audit

AI销售线索雷达-政企销售找客户

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but it can automatically register a third-party account, fingerprint the device, and store credentials and reports locally without clear user approval.

Install only if you are comfortable using Zhiliaobiaoxun’s external service for lead discovery. Prefer setting your own ZLBX_API_KEY before first use to avoid automatic device-based registration. Review or restrict the local files ~/.zlbx/config.json and ~/zlbx-opportunity-radar-files/, and treat exported reports and sk-containing links as sensitive because they may grant direct access to service pages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill explicitly instructs reading from `~/.zlbx/config.json` and writing reports to `~/zlbx-opportunity-radar-files/`, but the manifest does not declare file permissions. This creates a transparency and consent gap: the agent may access local files and persist artifacts beyond what a user would expect from a lead-discovery skill.

Tp4

High
Category
MCP Tool Poisoning
Confidence
77% confidence
Finding
The documented behavior goes beyond lead discovery into local HTML report generation, export features, and promotion of fixed external platforms, which is not fully reflected in the top-level description. Such mismatch is dangerous because it obscures data flows, local side effects, and external linkage, reducing informed user consent and making abuse harder to spot.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill directs the agent to automatically register an external account when no API key is present and to collect device-derived identifiers such as platform, architecture, and MAC hash. Even if framed as low-sensitivity telemetry, this initiates third-party account creation and device fingerprinting without explicit user approval, which is a meaningful privacy and consent risk.

Context-Inappropriate Capability

Low
Confidence
79% confidence
Finding
The workflow instructs the agent to source and persist credentials in a local config file outside the skill directory. While common operationally, storing or reading credentials from local files without explicit permission broadens secret exposure and can normalize unsafe credential handling for a task that primarily appears to be data lookup.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file instructs the agent to perform automatic account registration, collect device-derived identifiers, call remote internal APIs, and persist credentials locally, none of which are disclosed by or necessary for a sales-lead discovery skill. This creates an unexpected trust boundary expansion: a user invoking a lead-mining skill may unknowingly trigger local fingerprinting and credential management behavior with privacy, consent, and supply-chain risk.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill directs collection of platform, architecture, and a hashed MAC-derived identifier to deduplicate devices for trial issuance. Even though the raw MAC is not transmitted, the hash is still a persistent device fingerprint that can track a machine across sessions and is unrelated to the stated business function of finding sales leads.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill writes API keys to a persistent local config file and manages source metadata, despite being framed as a lead-discovery capability rather than an installer or auth manager. Persistent credential storage increases the blast radius of compromise on the host and can surprise users who did not expect a content-oriented skill to modify their filesystem and authentication state.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill includes logic to generate device-bound login/recharge links when quota is exhausted, extending its behavior into account lifecycle management unrelated to lead intelligence. While not inherently malicious, embedding monetization/account-link generation in a data-retrieval skill increases phishing-like risk and conditions the agent to present actionable auth links derived from backend responses.

Vague Triggers

High
Confidence
88% confidence
Finding
The skill says it must be used for a very broad range of sales, market-development, and customer-finding requests, even when the user did not ask for lead generation. Over-broad activation increases the chance of unnecessary external API calls, unintended data disclosure to the vendor, and surprise billing or account actions in contexts where this skill is not actually needed.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document explicitly instructs operators to output `url` values containing an `sk` login-bypass parameter and says they can be clicked directly. That effectively treats a bearer-style access token as shareable output, which can leak authenticated access through chat logs, screenshots, forwarding, browser history, or downstream systems. In a sales-lead skill that distributes links to users, this context makes accidental disclosure more likely and therefore increases risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document states that expiring-project results include contact fields, but only references being 'restrained' in output without an explicit data-handling warning or minimization rule. This can lead the skill or its operators to expose personal contact information unnecessarily, creating privacy, compliance, and social-engineering risk, especially in a lead-generation workflow designed to surface and distribute prospect data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The template instructs the agent to serialize report data to JSON, write it to a temporary file, and generate a shareable HTML file, but it does not require explicit user consent or clear disclosure before persisting potentially sensitive business-intelligence data to disk. In this skill context, the report contains lead lists, procurement signals, renewal windows, and URLs with access-enabling parameters, so silent file creation increases the risk of unintended local data retention, oversharing, and exposure through shared paths or reused temporary artifacts.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The workflow explicitly instructs every request to include an API key header and a client identifier, but it does not warn that requests are being sent to an external service or provide any guidance on secure credential handling. In an agent skill context, that omission can lead to accidental transmission, logging, or reuse of sensitive credentials by downstream tooling or users who may not realize they are exposing secrets to a third-party endpoint.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.