网贷援助律师

Security checks across malware telemetry and agentic risk

Overview

This is a local Node.js loan-repayment helper that asks for debt-related numbers and prints advice, with no evidence of hidden data transfer or system modification.

Before installing, understand that you will be entering sensitive financial details into a local script. The artifacts do not show network transmission or storage, but the advice is not professional legal or financial advice, and the referral/contact section should be treated as promotional unless you independently trust the provider.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The skill claims it does not collect privacy-sensitive information, but it explicitly prompts for monthly income and detailed debt data, which are sensitive financial attributes. Even if the data is only processed locally, the misleading claim can cause users to disclose information under false assumptions, creating privacy and trust risks.

Description-Behavior Mismatch

Low

Confidence: 88% confidence
Finding: The skill is presented as an analysis tool, but the report includes undisclosed promotional and lead-generation language directing users to contact an external 'professional' service. In a debt-assistance context, this is risky because financially distressed users are a vulnerable audience and may interpret the output as neutral advice rather than marketing.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal