Bailian Web Search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Bailian/DashScope web search skill that uses the expected API key and sends search queries to the expected provider.

Install only if you trust Bailian/DashScope for your searches. Use a dedicated DashScope API key where possible, monitor quota or billing, and avoid putting secrets or confidential business data into search queries.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill invokes shell scripts and requires command-line tools (`bash`, `curl`, `jq`) but does not declare explicit permissions for shell execution. This creates a trust and containment gap: consumers may treat the skill as lower-risk than it is, while the actual implementation can make outbound network requests and process user-supplied input through a shell wrapper.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal