Back to skill

Security audit

Bid Proposal Manager

Security checks across malware telemetry and agentic risk

Overview

This skill does the advertised bid-document organizing work, but it needs review because it can store or send sensitive proposal text and includes a barely documented permanent delete command.

Review before installing. Use a dedicated database and least-privilege Notion integration, prefer local embeddings for confidential documents, avoid untrusted URLs on sensitive networks, keep secrets out of shared shell profiles, and treat the vectorizer delete command as irreversible unless you add your own backup or confirmation controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises and documents capabilities that access environment variables, local files, databases, external URLs, and the Notion API, but it does not declare any permissions or scope boundaries. This creates a real security governance gap: users and the platform cannot accurately understand or constrain what the skill may read, write, or send over the network, increasing the risk of unintended data exposure such as API keys, proposal documents, and database contents.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script exposes a destructive delete capability that removes projects and all related records via cascading foreign keys, but the skill description only mentions parsing, vectorizing, validating, and creating project pages. Hidden destructive functionality increases operational risk because a caller may invoke it unexpectedly or without understanding the consequences, causing permanent data loss.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The provider selection logic silently falls back to OpenAI if the preferred local provider is unavailable, which can cause bid announcements, qualifications, documents, and full raw text to be sent to a third-party API without explicit user consent. In this skill's context, procurement and proposal documents may contain sensitive business information, so unannounced external transmission creates a real confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The prompt directs the agent to ingest uploaded files and web URLs and extract their contents, but it provides no instruction to warn users about privacy risks, sensitive data exposure, or safe handling expectations. Because bid/proposal documents commonly contain confidential business, financial, and contact information, silent processing increases the risk of unintended disclosure or overly broad data use.

Missing User Warnings

High
Confidence
97% confidence
Finding
The vectorization workflow explicitly tells the agent to generate embeddings and store analysis results in PostgreSQL, but it does not require user consent, disclosure of persistence, or limits on what data may be stored. In this skill context, announcement documents and derived JSON may include proprietary proposal details, contacts, budgets, and eligibility data, so undisclosed persistence materially raises confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly instructs the agent to write files, fetch remote content, store parsed document data in PostgreSQL/pgvector, and create or update Notion pages, but it does not require explicit user confirmation or warn that uploaded bid documents may be persisted or pushed to external systems. Because procurement and proposal documents often contain confidential business information, this can lead to unintended data exfiltration, privacy violations, or unauthorized modification of external systems if the agent acts automatically.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide instructs users to place database credentials and API keys directly into shell startup files as plaintext environment variables, but provides no warning about local exposure, shell history leakage, shared-account risks, or safer secret-management alternatives. In this skill's context, the risk is real because it handles Notion and embedding provider credentials that could allow unauthorized access to project data or external API usage if the host is compromised or misconfigured.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The URL parsing path performs arbitrary outbound HTTP(S) requests on user-supplied input with no allowlist, scheme restriction beyond http/https, or user-facing warning. In an agent or automation context, this can enable SSRF-like behavior against internal services or unintended network access to sensitive endpoints, making it more dangerous than in a purely local CLI parser.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The OpenAI embedding path sends input text directly to an external service and the code does not provide any user-facing disclosure, consent check, or data-classification guard. Because this tool processes bid and research proposal material, that text may include confidential or regulated information, making inadvertent exfiltration materially risky.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The Ollama path transmits text to a network endpoint over HTTP, with no user-facing notice that content is being sent off-process or potentially off-host depending on OLLAMA_BASE_URL. This is less severe than third-party SaaS exfiltration when used on localhost, but it still creates confidentiality and boundary-crossing risk if the endpoint is remote or improperly secured.

Missing User Warnings

High
Confidence
96% confidence
Finding
The delete command performs irreversible deletion of a project record, and by cascade also deletes associated qualifications, documents, evaluation criteria, and embeddings, yet it has no confirmation prompt, dry-run, or safety interlock. In an automation context, a mistaken invocation or parameter mix-up can immediately destroy indexed project knowledge at scale.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.