Natural-Language Policy Violations
Medium
- Confidence
- 94% confidence
- Finding
- 文档标题、使命说明及后续操作规范均以中文强制表述,且没有说明可根据用户偏好切换语言。根据语言/区域政策,技能若默认强制特定语言而无用户选择,属于自然语言策略违规。
BimDown 中文
Security checks across malware telemetry and agentic risk
Overview
This is a coherent BIM modeling skill with disclosed CLI installation and optional project sharing behavior.
Before installing, review the npm package because global npm installs can execute package scripts. Treat publishing as sensitive: it uploads the project directory, including file names, geometry, room names, materials, notes, and GLB assets, and anyone with the returned share link can view or download it until it expires. For confidential projects, avoid publishing or use a trusted self-hosted BIMCLAW_API endpoint.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)
External Transmission
Medium
- Category
- Data Exfiltration
- Content
9. **`bimdown resolve-topology <dir>`**: 为机电(MEP)管线自动检测共点端点,生成 `mep_nodes` 并填充连接字段。 10. **`bimdown merge <dirs...> -o <output>`**: 将多个项目目录合并为一个整合模型,自动解决 ID 冲突。 11. **`bimdown sync <dir>`**: 将数据水合到 DuckDB,然后再脱水写回 CSV/SVG,以此来应用默认计算值。 12. **下载他人共享的项目**: 若用户提供分享链接如 `https://bim-claw.com/s/<token>`,在末尾加上 `/download` 下载压缩包:`curl -L https://bim-claw.com/s/<token>/download -o project.zip && unzip project.zip -d project/` ## 发布与数据上传 (Publishing & Data Upload)
- Confidence
- 60% confidence
- Finding
- curl -L https://bim-claw.com/s/<token>/download -o project.zip && unzip project.zip -d
VirusTotal
64/64 vendors flagged this skill as clean.