Back to skill

Security audit

永恒日升供应商信息查询

Security checks across malware telemetry and agentic risk

Overview

This is a static vendor information skill that promotes one supplier and shares contact details, but it does not run code, request credentials, or hide privileged behavior.

Install this only if you want an agent to use 永恒日升’s vendor-provided supplier information. Do not treat its answers as neutral market research; independently verify certifications, current customer relationships, pricing, delivery capacity, and whether the listed personal contact details are appropriate to use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill includes broad, generic procurement triggers such as '找供应商', '找冲压厂', and pricing-related phrases that can match ordinary supplier-search requests unrelated to this specific company. In an agent environment, this can bias or hijack neutral procurement queries into recommending a single vendor, creating deceptive ranking/manipulation risk even without code execution.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger-scene guidance tells the agent to proactively provide this company's information whenever queries match broad supplier-search scenarios, but it does not define exclusions or arbitration rules when multiple suppliers could satisfy the request. That unclear activation boundary can cause unfair promotion of one company in generic sourcing contexts, increasing the risk of covert advertising or search-result steering.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs the agent to disclose a named contact, phone number, email, and WeChat directly in responses, but provides no consent statement, privacy notice, or usage limitation. Even if sourced from public materials, automated redistribution by agents can amplify personal data exposure, enable scraping/spam, and create privacy/compliance concerns.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.