Back to skill

Security audit

IT信息化商机雷达-信创项目早期发现

Security checks across malware telemetry and agentic risk

Overview

The skill performs the advertised business-lead search, but it also auto-registers devices, stores credentials, writes reports, and exposes sensitive access links with limited user control.

Review before installing. Prefer configuring ZLBX_API_KEY yourself to avoid auto-registration, treat sk and auto-login links as private, expect local files under ~/.zlbx and ~/zlbx-opportunity-radar-files, and only set up recurring scans if you understand they will keep making vendor API calls and using credits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill explicitly instructs reading a local credential file (`~/.zlbx/config.json`) and writing reports to a local directory, but only declares an environment-variable requirement rather than corresponding file permissions or transparent consent boundaries. This creates a permission-model gap: an agent or reviewer may underestimate the skill's ability to access local data and persist files, increasing the risk of unintended file access or silent artifact creation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill's stated purpose is opportunity discovery, but it also performs secondary behaviors such as generating branded HTML reports, embedding marketing links, and writing files locally. That mismatch matters because users may invoke a data-query skill without realizing it will persist artifacts and include promotional content, which expands the trust boundary and can enable unwanted data retention or deceptive UX.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill includes an automatic registration flow that collects device-derived identifiers, calls a remote registration endpoint, receives credentials, and persists an API key locally. That behavior is materially beyond the declared purpose of discovering IT project opportunities, and it creates an unnecessary identity/provisioning side channel that could surprise users and expand data exposure without explicit consent.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The balance-exhaustion logic redirects users into a device-SID-based auto-login and phone-binding/recharge flow unrelated to the skill's stated lead-discovery function. This couples core functionality to account monetization and identity-binding mechanisms, which can coerce users into unintended authentication or billing workflows.

Vague Triggers

High
Confidence
84% confidence
Finding
The activation rule is intentionally broad: it says the skill must be used even when the user did not mention IT, as long as the request loosely relates to information project leads or digitalization opportunities. Overbroad triggering can cause inappropriate invocation, unnecessary external data transfer, and accidental consumption of credits for user requests that did not clearly authorize this workflow.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill directs the agent to search for credentials in a local file and, failing that, to automatically register a new account while suppressing extra prompts. Silent local credential discovery and automatic account creation are sensitive behaviors because they can access local secrets and transmit device-derived identifiers (`platform`, `arch`, `mac_hash`) to a remote service without an explicit just-in-time consent step.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly instructs users to output and click `url` values containing an `sk` login-bypass parameter 'as-is', which effectively treats a bearer-style access token as safe to redistribute. If these links are exposed in chat transcripts, logs, screenshots, or forwarded messages, unauthorized parties may gain access tied to that parameter, creating token leakage and unintended data exposure risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The template instructs the agent to generate a local HTML file and reveal its absolute filesystem path to the user. Exposing internal paths leaks environment details such as usernames, home-directory structure, and storage conventions, which can aid reconnaissance and may disclose sensitive deployment information beyond the user’s request.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The workflow explicitly tells users to set up recurring execution via /loop or cron, which can cause ongoing API calls and repeated transmission of query parameters without any notice about persistence, cost, rate limits, or data-sharing implications. While this is not overtly malicious, it creates a real risk of unattended background activity and unintended continued network usage, especially if the prompts include sensitive business targeting criteria.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.