report-search

Security checks across malware telemetry and agentic risk

Overview

The skill transparently searches fxbaogao.com reports using local scripts; its only notable risk is an optional, disclosed SSL verification bypass that should stay off.

Install only if you are comfortable sending report search terms, author or organization filters, and selected document IDs to fxbaogao.com. Keep the default service URLs and do not set FXBAOGAO_SSL_NO_VERIFY=1 except briefly for a known local certificate-chain problem.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: TLS certificate verification can be disabled globally via FXBAOGAO_SSL_NO_VERIFY, causing the client to accept untrusted certificates and enabling man-in-the-middle interception or modification of API responses. In this skill, that is especially dangerous because both search results and report detail content are fetched over the network and then parsed and surfaced to downstream consumers, so tampered content could mislead users or alter tool output silently.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal