Business Information Inquiry Tool‌

Security checks across malware telemetry and agentic risk

Overview

The skill broadly fits its company-research purpose, but it needs Review because it reads local credential files and can render unescaped external content into HTML reports.

Install only if you are comfortable with company names and research queries being sent to external search providers when Tavily is configured. Use a dedicated limited Tavily key, avoid placing it in broad home .env files, and treat generated reports as unsafe for untrusted inputs until all report fields and error messages are HTML-escaped.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (7)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill advertises zero-configuration behavior while indicating capabilities to read environment variables, access local files such as .env, and make outbound network requests, yet it declares no permissions. This creates a transparency and least-privilege problem: users and the platform may underestimate what the skill can access, making secret exposure or unintended data egress harder to detect or govern.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented behavior does not match the effective behavior: the skill claims to directly perform AI-based enterprise search and report generation, but also relies on local secret retrieval and appears to depend on externally supplied search results or instructions rather than self-contained execution. This mismatch is dangerous because it can conceal data flows, mislead users about autonomy and trust boundaries, and open the door to prompt/data injection through untrusted externally provided search content.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill scans multiple local .env files in fixed locations to obtain a Tavily API key, which exceeds the minimum privilege needed for an enterprise-search helper. In an agent environment, this broad secret-discovery behavior can expose credentials from unrelated workspaces or users and enables unintended secret use without explicit operator consent.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The docstring states that the script does not collect privacy-related data, yet the implementation reads API credentials from local .env files. That mismatch is security-relevant because it misleads reviewers and users about secret-handling behavior, reducing the chance that risky credential access will be noticed or governed.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The normal rendering path consistently escapes untrusted content before inserting it into HTML, but the error-handling branch directly interpolates `data['error']` into the response body without HTML escaping. If an attacker can influence the error string, this creates a reflected/stored XSS vector in the generated report, which is especially relevant because this skill produces HTML meant to be viewed in a browser-like client.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The README states that the agent will automatically enable this skill for broad intents such as '企业调研', '企业信息搜索', and similar phrases, without a clear trigger boundary or confirmation step. This can cause the skill to run unexpectedly on ordinary conversation, leading to unintended searches, data handling, and report generation, especially when external lookup capabilities are available.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation describes automatic multi-dimensional search and optional Tavily enhancement, but does not clearly warn users that their company query may be sent to external services or network search providers. This creates a transparency and privacy risk because users may disclose sensitive target names or investigation subjects without realizing that the information leaves the local agent context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal