balbabalablabal

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed WenDaoYun company-lookup skill that uses an API key and external queries for its stated purpose, with no executable install behavior found.

Install this only if you intend to query WenDaoYun company records. Keep the WENDAOYUN_API_KEY private, expect company names and selected lookup requests to be sent to WenDaoYun and consume quota, and confirm the exact company before legal, financial, or risk lookups.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill description says it should trigger whenever a user needs enterprise-related information, which is broad enough to match many generic business queries. Overly broad routing can cause the wrong skill to activate, leading to unnecessary collection or disclosure of sensitive company risk, legal, or financial data and bypassing more appropriate tools or user clarification.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal