Back to skill

Security audit

Enterprise Query

Security checks across malware telemetry and agentic risk

Overview

This paid business lookup skill matches its stated purpose, but it needs review because it auto-installs a payment skill globally and the package only contains instructions, not the scripts it tells the agent to run.

Review before installing. The paid query flow is disclosed, but installation may add an external wallet skill globally for all agents, and this package does not include the scripts it commands the agent to execute. Use only if you trust the yeeap payment workflow and are comfortable with Chinese-only payment and error prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
该 Skill 强制要求所有用户交互仅使用中文,未提供用户选择或回退机制。这会限制非中文用户理解支付、权限、失败原因和安全提示的能力,可能导致用户在不充分知情的情况下继续执行付费或敏感操作。

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.