Back to skill

Security audit

信创IT投标决策-信息化项目投标评估

Security checks across malware telemetry and agentic risk

Overview

This skill is useful for bid analysis, but it automatically creates and stores a third-party account credential, fingerprints the device, writes persistent reports, and exposes signed access links by default.

Review before installing. Use a manually provisioned ZLBX_API_KEY where possible, avoid silent auto-registration, and be careful sharing generated HTML reports because they may contain procurement analysis and signed links. Install only if you accept the vendor account, device-deduplication, local credential storage, and report-persistence behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill explicitly describes local file reads and local report writes, but only declares an environment variable requirement and no corresponding permissions. This creates a transparency and consent gap: a host may allow the skill to access the filesystem without users understanding that local files and generated artifacts are involved.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill is presented as a bid-decision analysis assistant, but it also directs rendering HTML reports with embedded branding, promotional links, and export features not clearly reflected in the core description. That mismatch matters because users may consent to data analysis but not realize the skill will generate persistent local artifacts and marketing-bearing output.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill instructs automatic account registration when no API key is present and uses device-derived identifiers such as platform, architecture, and a MAC-based hash for deduplication. Even if framed as privacy-preserving, this exceeds what is necessary for bid analysis and introduces undisclosed account creation and device fingerprinting risk.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file instructs the agent to perform a full out-of-scope account bootstrap flow: collect device-derived identifiers, call an internal registration endpoint, persist issued credentials locally, and generate auto-login/recharge links. For a bidding-analysis skill, this materially expands authority and data handling beyond the declared purpose, creating unnecessary privacy, credential-management, and account-abuse risk if the skill is invoked automatically.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill directs collection of platform, architecture, and a hashed MAC-derived identifier to deduplicate trial accounts. Even if minimized and hashed, this is still device fingerprinting unrelated to the user-visible bidding-analysis function, and it creates a stable cross-session identifier that can be used for tracking, correlation, or silent enrollment without meaningful user consent.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill tells the agent to write API keys into ~/.zlbx/config.json, merge config state, and manage balance exhaustion by generating login/recharge links. This turns an analysis skill into a credential lifecycle manager, increasing the chance of unintended secret persistence, confused-deputy behavior, and unauthorized modification of user environment outside the advertised scope.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The template explicitly instructs the agent to preserve and expose full signed URLs containing the `sk` parameter, described as a login-bypass signature. Publishing bearer-style signed links in chat output and exported reports can grant unintended access to protected resources, enable link sharing beyond the intended recipient, and leak access tokens into logs, screenshots, and downstream systems. In this skill context, the danger is increased because the links are required in multiple places and positioned as a default behavior, making repeated disclosure likely.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The template mandates automatic generation of a local HTML report file in addition to the chat response. Unprompted file creation can persist sensitive procurement analysis and embedded links on disk, increase data retention risk, and create secondary disclosure paths if the filesystem is shared, synced, or later accessed by other processes or users. The risk is amplified here because generation is the default behavior rather than an opt-in action.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The activation rule is extremely broad, effectively forcing use of this skill for many generic IT bidding-analysis requests. Over-broad triggering can cause unnecessary external API use, local file writes, and account-registration flows in situations where a narrower or less invasive tool would suffice.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill specifies automatic registration and device-derived data collection but does not require a clear warning and affirmative consent at the point of use. Silent onboarding to a third-party service increases privacy and compliance risk, especially because it creates an account and transmits device-linked attributes.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The skill states that it writes reports locally and stores credentials in a local config path, but this is framed as ancillary information rather than a prominent upfront warning. Hidden persistence of artifacts and secrets can surprise users and increase exposure if the host system is shared or insufficiently secured.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The markdown directs the agent to create a local HTML file and disclose its filesystem path without warning the user about file creation or persistence. This violates the principle of user awareness and can surprise users with side effects, while also revealing local path information that may expose environment details or facilitate later targeting. In a data-heavy bidding analysis workflow, silent artifact creation is more dangerous because outputs may contain commercially sensitive information.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The workflow explicitly instructs the agent to read a local bid file when provided, but it does not require confirming that the user intended local file access or warning that local content will be ingested. In an agent setting, this can lead to unintended access to sensitive local documents if file-selection or attachment context is ambiguous, especially because bid files may contain confidential commercial or customer data.

Ssd 3

High
Confidence
99% confidence
Finding
The template requires preserving and displaying login-bypass signature parameters in user-facing links, including in exported artifacts. Exposing access-enabling query parameters is a direct secret disclosure issue: anyone who obtains the link may reuse it, and such URLs are commonly captured by browser history, analytics, logs, and shared documents. The risk is especially significant here because the text explicitly frames removal as breaking access, confirming that the parameter is security-sensitive rather than cosmetic.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.