Back to skill

Security audit

采购意向监控-发标前1-3个月对接

Security checks across malware telemetry and agentic risk

Overview

This procurement-monitoring skill is useful but needs Review because it can automatically create an account, fingerprint the device, persist an API key, and write shareable reports.

Install only if you are comfortable with the provider creating or reusing a trial account automatically, sending a hashed MAC/device profile for deduplication, storing an API key in your home directory, and saving report files locally. Prefer setting your own ZLBX_API_KEY first, review generated HTML before sharing it, and treat sk/auto-login links as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill declares only an environment variable requirement, but its instructions explicitly direct local file reads (`~/.zlbx/config.json`) and writes (`~/zlbx-opportunity-radar-files/`). That creates capability drift between the manifest and actual behavior, preventing users or policy engines from accurately understanding or constraining what the skill can access on the host.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill instructs automatic account registration when no API key is present and uses device fingerprint elements (`platform`, `arch`, `mac_hash`) plus local credential persistence. Even if presented as privacy-preserving, silently creating remote accounts and storing credentials expands data collection and identity state beyond the user's procurement query, and the fallback from explicit credentials to implicit registration reduces informed consent.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The document instructs the agent to automatically register an account and persist an API key when the user has not explicitly configured credentials. That behavior is outside the stated procurement-monitoring purpose and creates an undisclosed account creation and local credential storage pathway, which can bypass informed consent and expand the skill’s privileges on the host.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill collects device fingerprint components such as platform, architecture, and a hashed MAC address to deduplicate free-trial accounts, then uses them for auto-registration. Even if minimized, this is still host fingerprinting unrelated to procurement analysis, and it enables account provisioning tied to device identity without a clear user-driven need.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The balance-exhaustion flow generates login links and presents recharge and phone-binding guidance, which extends the skill into account marketing and monetization behavior unrelated to procurement monitoring. While less severe than credential creation, it still broadens the skill’s operational scope and can steer users into external account actions they did not request.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The template explicitly requires exposing full API-returned URLs including `sk` login-bypass/share parameters to the user. If `sk` functions as an access-bearing token, disclosing it in chat and HTML exports can leak authenticated access to recipients, logs, screenshots, or downstream systems, enabling unauthorized viewing of procurement records.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The template directs the agent to automatically write report data to a temporary JSON file and execute a local Python script to generate an HTML file. This expands the trust boundary from text generation into local file creation and code execution, increasing risk of sensitive data persistence, unsafe path handling, or command/script abuse if any report fields are attacker-controlled.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The guidance instructs the agent to create local artifacts and export a shareable HTML report by default without any user-facing disclosure or consent. In this skill context, reports may contain procurement intelligence, links with access parameters, and organization names, so silent persistence/export increases privacy, data-retention, and unintended sharing risks.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The subscription-mode trigger uses very broad natural-language cues like '持续盯/每天看/定期报', which can cause the agent to enter a recurring-monitoring workflow on ambiguous user requests. In an agent setting, this increases the chance of unintended persistence, overscoped monitoring, or repeated actions without sufficiently explicit user consent, especially because the workflow then guides users to automate future executions.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.