阿里云的联网搜索

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Alibaba Cloud IQS search skill, with expected third-party query transmission that users should understand before using it.

Install only if you are comfortable sending search queries to Alibaba Cloud IQS under your Aliyun account. Use a dedicated API key where possible, keep any .env file private, watch quota or billing, and avoid submitting secrets, personal data, or confidential business terms unless Alibaba Cloud processing is acceptable for your use case.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill sends user queries to Alibaba Cloud's IQS UnifiedSearch API, but the description does not clearly warn users that their prompts/search terms are transmitted to a third-party cloud service. This can expose sensitive user data, internal project information, or secrets if users unknowingly submit confidential queries, making the omission a real privacy and data-handling vulnerability.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal