Back to skill

Security audit

中国机动车出厂合格证识别与抽取(ADP)

Security checks across malware telemetry and agentic risk

Overview

This is a real vehicle-certificate extraction skill, but it asks users to install and configure a broader cloud document-processing CLI with API-key use, remote document handling, and unsafe installer shortcuts.

Install only if you intend to use Laiye ADP as a cloud processor for vehicle-certificate files and are comfortable providing an ADP API key. Prefer npm or verified release binaries over the one-line remote installer scripts, avoid granting agents access to arbitrary folders or URLs, and restrict use to the vehicle-certificate extraction app rather than the broader custom-app and general document-processing commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The README for a purported vehicle-certificate extraction skill instead describes a broad, general-purpose ADP CLI capable of arbitrary document parsing, app management, and agent-oriented automation. This scope mismatch is dangerous because it can mislead users and agents into granting broader trust and permissions than the skill’s declared purpose warrants, enabling unintended use beyond vehicle certificate extraction.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Documenting creation, update, and deletion of custom extraction applications materially expands the operational scope beyond a single-purpose vehicle certificate skill. In an agent context, this can enable unauthorized configuration changes or repurposing of the toolchain, increasing the risk of abuse, misconfiguration, or lateral workflow impact.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
Support for parsing and extracting arbitrary remote URLs is broader than the stated vehicle-certificate use case and can be abused to fetch and process attacker-controlled content. In agent workflows, this increases the attack surface for data exfiltration, prompt/data poisoning, or unintended interaction with untrusted remote resources.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The README documents a broad, general-purpose ADP CLI with parsing, extraction, app management, and workflow capabilities that materially exceed the manifest's claimed purpose of a fixed vehicle-certificate extraction skill. This scope mismatch is dangerous because an agent or user selecting the skill for a narrow task could unknowingly gain or invoke unrelated capabilities, increasing the chance of unintended data access, tool misuse, or policy bypass through capability confusion.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Exposing custom application creation, editing, and management turns a supposedly fixed-purpose extraction skill into a platform-administration surface. In agent contexts, this can let the skill be repurposed for arbitrary extraction logic or document handling beyond the expected vehicle-certificate use case, undermining least privilege and increasing the blast radius of misuse.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Generic remote-URL document processing allows the skill to fetch and process arbitrary external resources, which is broader than the stated narrow certificate-extraction purpose. In practice this can enable unintended external network access, processing of attacker-controlled documents, and exfiltration or abuse paths that would not be expected from a local, fixed-function certificate skill.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The README instructs users to pipe remotely fetched shell and PowerShell scripts directly into interpreters without verification, which is a well-known supply-chain and remote code execution risk. If the upstream source, repository, network path, or referenced script is compromised, users can execute arbitrary code on their systems immediately.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The README instructs users to execute one-line remote shell and PowerShell bootstrap commands directly from the network without any integrity verification, pinning, or safety warning. This is dangerous because compromise of the source repository, delivery path, or referenced script can immediately lead to arbitrary code execution on the user's machine.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs users to send vehicle certificate images and extracted document contents to a third-party cloud service, but it does not clearly warn about the privacy and data-transfer implications. These documents can contain sensitive identifiers such as VINs, engine numbers, manufacturer details, and other regulated or business-sensitive information, so omitting an explicit disclosure can cause inadvertent external data exposure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.