ClawHub

招中标信息&招标雷达-剑鱼

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for querying a disclosed bidding-data API, with privacy and scoping considerations but no hidden code or destructive behavior.

Install only if you trust the Jianyu/Zhiliaobiaoxun service with your procurement searches. Use a dedicated API key, avoid submitting confidential strategy or non-public deal information, ask for exact-company searches when needed, and treat any returned contact information as sensitive business contact data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description says bid/tender-related questions 'must' call this skill, which is an overly broad trigger that can force unnecessary activation for many ordinary user queries. This increases the chance of unsolicited external API use, unnecessary disclosure of user query contents to a third party, and reduced user control over tool invocation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to send requests containing user-supplied search terms to an external service using an API key, but it does not require any user-facing notice or consent about third-party data transfer. In a procurement context, queries may include sensitive company names, project interests, or contact-related lookups, so silent transmission creates a meaningful privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs the agent to expand a user's query from one company name to all semantically matched headquarters and subsidiaries, then run follow-up analysis without confirmation. This can cause over-collection and misattribution, returning data about unintended entities and broadening the scope of sensitive business intelligence beyond what the user clearly requested.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal