China Electronic Components Suppliers

Security checks across malware telemetry and agentic risk

Overview

This is a local supplier-reference skill with no hidden execution, network access, credential use, or persistence, but its documentation understates that the bundled data includes company contact emails.

Safe to install from a code-security standpoint. Before using it for procurement or outreach, verify supplier details and contact channels independently, and be aware that the package includes direct company contact emails despite its documentation saying it only contains cluster-level intelligence.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The file goes beyond a general industry guide by publishing a structured list of specific factories along with direct contact email addresses. In an agent skill, this can be used to enable unsolicited outreach, targeted spam/phishing, vendor impersonation, or automatic procurement workflows against third parties who did not necessarily consent to being included in an actionable contact database.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal