众安车险自助投保

Security checks across malware telemetry and agentic risk

Overview

This car-insurance skill has a coherent purpose, but it asks the agent to persist sensitive identity and authentication data and to bypass a browser security warning during payment.

Review this skill carefully before installing. It appears intended for a real car-insurance workflow, but it should be changed to avoid writing credentials or ID details into SKILL.md, require explicit consent before transmitting personal data, remove API keys from URLs, require confirmation before opening payment pages, and stop rather than bypass any browser security warning.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (11)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The skill explicitly instructs persisting a daily authentication token and the user's phone number into environment variables and the main SKILL.md for reuse. Storing live credentials and personal data in durable configuration exceeds the immediate need of the insurance flow and creates unnecessary exposure to later sessions, logs, backups, or unrelated tooling that can read those locations.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill instructs the agent to execute local OS commands (`open`/`start`) to launch a payment URL, which extends behavior from normal business API calls into direct host-side command execution. Even though the goal is to open an insurance payment page, using shell-level commands on the local machine increases the attack surface and could be abused if the URL is malformed, substituted, or if command invocation semantics differ across environments.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs storage of highly sensitive personal data such as phone number, owner name, and government ID number, but provides no explicit privacy notice, consent flow, retention policy, or handling constraints. This creates a real privacy and security risk because users may provide regulated personal data without being informed how it will be stored, for how long, or who can access it.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The workflow sends personal and vehicle information to an external insurance service for quoting, underwriting, payment, and policy issuance, but the skill does not clearly warn the user that their data will be transmitted to third-party network services. In an insurance context, this includes sensitive identity and vehicle data, so lack of transparent disclosure undermines informed consent and can lead to privacy, compliance, and trust issues.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill directs storage of sensitive authentication material and a phone number without any warning, consent, retention limits, or handling safeguards. This increases the chance that credentials are unintentionally retained, reused across conversations, or exposed to operators, logs, and other skills with access to the same environment or files.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Requiring the authentication token in both the header and query string unnecessarily broadens its exposure surface because query parameters are commonly captured in access logs, browser history, proxies, analytics, and monitoring systems. Omitting any warning or mitigation makes credential leakage more likely if the skill or infrastructure follows this documentation as written.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documented flow automatically opens the payment page and tells the user only afterward that it has been opened, which is an unsafe side effect for a sensitive financial action. In a payment context, automatically navigating the browser can surprise users, reduce informed consent, and make phishing or misdirection harder for users to detect.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The skill sends insurance and transaction identifiers such as vehicle number and insureFlowCode to an external gateway without any user-facing privacy notice or transmission warning. In an insurance workflow these identifiers are sensitive and can enable tracking, policy lookup, or further disclosure if sent to the wrong endpoint or handled insecurely.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs collection and transmission of highly sensitive personal data such as full name, national ID number, VIN, engine number, and registration date without any privacy notice, minimization guidance, masking requirements, or explicit user-consent step. In an insurance workflow this increases the risk of over-collection, inadvertent disclosure, and unsafe downstream handling of regulated personal information.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The curl examples demonstrate transmitting sensitive personal data and an API credential to an external gateway without any warning about secret handling, transport safeguards, log exposure, or data-transfer implications. The example is especially risky because it places the API key in the query string, which is commonly captured by proxies, browser history, and server logs.

Ssd 4

High

Confidence: 98% confidence
Finding: The instructions explicitly tell the agent to proceed past an HTTP form security warning by finding and clicking a 'still send' button. Normalizing the bypass of browser security warnings is dangerous because such warnings exist to protect users from insecure or downgraded form submissions that may expose payment or identity data.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal