🎯 BigLead · 精准客户线索挖掘（行业分析·查找客户·拓展业务·联系方式）| B2B Lead Prospecting

Security checks across malware telemetry and agentic risk

Overview

BigLead is a disclosed B2B lead-research skill that stores and exports public business lead data locally, with privacy and trigger-scope caveats but no evidence of hidden exfiltration or destructive behavior.

Install only if you want a local B2B lead database. Use it for public business contact information, avoid adding private personal details, review CSV exports before sharing them, and delete old `memory/lead-data/` files or exports when they are no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger list contains broad phrases such as '搜公司', 'leads', and 'list', which can match ordinary user requests and cause the skill to activate unexpectedly. Because this skill performs web research and stores/export leads, accidental invocation can lead to unintended collection and retention of company/contact information.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill is designed to collect, store, score, and export contact details, yet it lacks a clear privacy notice, consent workflow, retention policy, or warning about handling personal data. Even if the data is described as public, aggregation and persistent storage of contact information can create privacy, compliance, and misuse risks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal