高考志愿

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for a paid, read-only college application data API; the main caution is protecting the API key and secret.

Install only if you trust zhiyuanx.com and need this paid API. Store the API Key and Secret only in trusted encrypted credential fields or a secret manager, never in prompts or public files, and rotate or revoke them if exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The skill explicitly tells users they can view, copy, and manage their AK/SK credentials, but provides no warning that these are secrets that must not be shared with downstream agents, logs, or public workflows. In an agent/skill ecosystem, this omission increases the chance users paste long-lived credentials into untrusted tools, leading to unauthorized API use and account abuse.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The step-by-step instructions direct users to obtain their API Key and API Secret but omit any warning about secure storage or the risks of entering them into agents and automation platforms. Because this skill is specifically marketed for integration into apps, agents, and workflows, the missing caution materially raises the likelihood of credential leakage through prompts, config exports, logs, or third-party integrations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal