Back to skill

Security audit

Volc Docs

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Volcengine documentation lookup skill with disclosed network calls and no credential, persistence, or destructive behavior.

Install if you want Volcengine docs lookups from the agent. Be aware that Volcengine-related questions may be sent to the external docs API, avoid including confidential information in queries, and use it only with Volcengine documentation links.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The description says any Volcengine-related consultation, usage issue, or documentation query should prioritize this skill, which is overly broad. Such broad routing can cause unintended invocation, leading the agent to send user prompts to an external documentation service when the user did not clearly request tool use or when another safer/local response path would suffice.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
The skill mandates use of Chinese-language/locale-specific URL handling, including stripping query parameters such as `?lang=zh` and requiring a 'pure' URL format. While not directly a security exploit, this can override user preference or fetch a different locale/version than intended, causing integrity and consent issues in the returned documentation context.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.