Security audit

市场洞察师

Security checks across malware telemetry and agentic risk

Overview

This market-intelligence skill is mostly coherent, but its data-collection guidance includes proxy, bypass, and cookie-based scraping notes that conflict with its stated compliance limits.

Review before installing. Use this only for public rankings, official APIs, licensed datasets, or first-party accounts you are authorized to access. Do not provide platform cookies, session tokens, or proxy pools unless the publisher narrows the guidance and documents a lawful, user-controlled credential flow.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The document explicitly forbids bypassing anti-bot controls and login barriers, but then provides operational guidance such as '可绕过', '需代理池', and '需要cookie等', which materially enables scraping strategies that may evade platform protections or rely on authenticated session state. In a market-intelligence skill focused on competitor monitoring and data collection, this contradiction increases the likelihood that downstream agents or users will treat the prohibited behavior as endorsed, creating legal, compliance, and abuse risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal