ClawHub
Back to skill

Security audit

全网招中标数据平台-知了标讯

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed procurement and bid-intelligence skill that uses a third-party API, with privacy and scoping cautions but no evidence of hidden, destructive, or deceptive behavior.

Install only if you are comfortable sending procurement, supplier, competitor, company, and contact lookup queries to the Zhiliaobiaoxun service using your API key. For sensitive work, specify exact entities and date ranges, avoid unnecessary contact lookups, and review matched company lists before acting on the analysis.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Vague Triggers

High
Confidence
92% confidence
Finding
The skill declares an extremely broad mandatory-trigger scope covering nearly any mention of procurement, suppliers, competitors, or bidding. This can cause over-invocation, unnecessary external data transmission, and inappropriate tool use in contexts where the user did not intend third-party lookup, increasing privacy and data-minimization risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documented capability to query company contact information introduces clear privacy and compliance risk, especially because the skill provides no usage restrictions, lawful-basis guidance, or warnings against misuse of personal data. In this context, the risk is elevated because the tool is designed for broad commercial intelligence workflows, making it easy to normalize bulk or unjustified contact lookups.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documented workflow expands a user's company query to multiple matched legal entities and automatically uses them in downstream analysis without explicit confirmation. In a procurement and bidding intelligence context, this can materially alter results, cause over-collection or mixing of unrelated entities, and mislead users into acting on inaccurate competitive or supplier intelligence.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal