Back to skill

Security audit

🎯 BigLead · 精准客户线索挖掘(行业分析·查找客户·拓展业务·联系方式)| B2B Lead Prospecting

Security checks across malware telemetry and agentic risk

Overview

BigLead is a disclosed B2B lead-search helper that stores public prospecting results locally, with no evidence of hidden exfiltration, credential theft, or destructive behavior.

Install only if you want an agent to search public web sources for company leads and save names, business details, phone numbers, emails, and source URLs locally. Avoid vague prompts like `list` if you do not intend to run lead prospecting, and review exported CSV files because they may contain contact information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
87% confidence
Finding
Broad trigger phrases like '找客户', '搜公司', and 'list' can cause the skill to activate during ordinary conversation, potentially launching web searches and persisting lead data without clear user intent. In this skill, accidental activation is more concerning because it can write files and collect/store contact information.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.