Back to skill

Security audit

China Export Data

Security checks across malware telemetry and agentic risk

Overview

This skill is a read-only trade data lookup tool, but users should know the API provider logs query details and IP addresses.

Install only if you are comfortable sending trade-research queries to doumaotong.com and having the provider log your IP address and request parameters. Do not provide credentials if prompted, since the skill says none are required, and verify important figures against China Customs or UN Comtrade for high-stakes decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is presented primarily as a data-query capability, but it explicitly states that every API call logs client IP addresses and full request parameters. This creates an undisclosed privacy and telemetry risk because user queries may reveal commercial interests, research topics, or sensitive business intent, and IP addresses are personal data in many jurisdictions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.