ClawHub

招标中标查询&数据分析-乙方宝

Security checks across malware telemetry and agentic risk

Overview

This is a read-only tender and company research skill that is broadly coherent, but users should treat external queries and returned contact data as sensitive.

Install this only if you intend to use the Zhiliaobiaoxun/Yifangbao API for tender research. Use a dedicated API key, avoid submitting confidential procurement strategy or sensitive company lists unless sharing them with the provider is acceptable, specify exact legal entities when scope matters, and handle returned contact names or phone data only for legitimate authorized business purposes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

High
Confidence
95% confidence
Finding
The skill description says the skill 'must be called' whenever a user needs tender/bid queries or company profiling, which is an overly broad routing mandate. This can override normal tool-selection safeguards, cause unnecessary disclosure of user queries to a third-party service, and pressure the agent to use the tool even when a safer or less invasive option exists.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documents use of an API key and supports company/contact-data lookups, but provides no privacy notice, data-minimization guidance, or warning before querying potentially sensitive personal/business information. In this context, the skill can retrieve contact details and transmit user-supplied targets to a third-party API, creating privacy, compliance, and unauthorized data-sharing risks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly directs the agent to automatically expand a user-supplied company name into multiple related legal entities and then run follow-on queries without user confirmation. That creates a scope-expansion/privacy risk because the agent may retrieve and analyze data about affiliates, subsidiaries, or similarly named entities the user did not intend, potentially exposing broader commercial intelligence than requested.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The contacts API exposes project contact information such as names, masked phone numbers, role context, and recent bid links, but the documentation provides no privacy, sensitivity, or permissible-use warning. In a tender-analysis skill, this can enable targeted outreach, profiling, or misuse of procurement contact data, especially when combined with keyword/date filtering to identify relevant individuals.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal