1688 Procurement Agent

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only procurement coaching skill with no code, credentials, background behavior, or autonomous purchasing authority.

Safe to install as a procurement guidance resource. Treat its supplier, pricing, compliance, logistics, and payment advice as coaching, not professional legal, customs, quality-control, or financial advice, and avoid sharing unnecessary sensitive business or budget details unless needed for the sourcing question.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The command reference maps very broad, natural phrases like "What should I buy?" or "Best shipping option?" to specific modules, which can cause accidental skill invocation in unrelated conversations. In an agent environment, this creates unintended routing and context capture risk, especially if the skill activates when the user did not intend procurement assistance.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal