Driver's License Exam - 驾考题库

Security checks across malware telemetry and agentic risk

Overview

This skill fetches driving-test practice questions from JisuAPI using a user-provided API key, with no hidden persistence or unrelated behavior found.

Install only if you are comfortable using JisuAPI for driving-exam questions. Use a dedicated JISU_API_KEY where possible, expect each request to send the API key plus exam parameters such as license type, subject, page, sort, and chapter to JisuAPI, and monitor provider quota or billing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger phrase includes a broad fuzzy condition ('or similar exam-practice requests'), which can cause the skill to activate for loosely related user intents. Over-broad invocation increases the chance of unintended third-party requests and incorrect routing, especially in multi-skill environments where user input may ambiguously mention driving, tests, or practice questions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation introduces the third-party JisuAPI integration but does not clearly warn that user-supplied request parameters will be transmitted off-platform. This is a transparency and privacy issue: even if the parameters are not highly sensitive, users and operators should be informed when their requests are sent to an external service and governed by that provider's logging and retention practices.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal