ClawHub

招投标商机监控雷达-标标达

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed tender-data API skill, but users should be careful because procurement, company, and contact-related queries are sent to an external provider.

Install only if you trust the 标标达/知了标讯 service with your procurement research terms. Use a dedicated ZLBX_API_KEY, avoid entering non-public bid strategy or private customer lists unless approved, and ask the agent to show matched companies before broad analyses of shorthand or ambiguous company names.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

High
Confidence
95% confidence
Finding
The skill mandates activation for a very broad set of bidding, sourcing, and risk-analysis queries, including cases where the user did not explicitly request this provider. That can cause unintended routing of sensitive business queries to an external service, increasing privacy, consent, and overreach risks while also crowding out safer or more appropriate tools.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to send company names, bid queries, and potentially contact-related lookups to a third-party API, but provides no user-facing notice, consent flow, or data-handling limits. Because the tool includes company contact retrieval and external transmission, users may unknowingly expose sensitive business research or personal/contact data to the provider.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs the agent to automatically expand a shorthand company name to all matching headquarters and branch entities and proceed without user confirmation. This broadens the query scope and data processing beyond the user's explicit input, creating a risk of over-collection, mistaken identity, and unintended disclosure or analysis of unrelated organizations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal