Back to skill

Security audit

建筑工程标讯洞察-筑龙标事

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only construction bid intelligence skill that uses a disclosed third-party API, with privacy and query-scope caveats users should control.

Install only if you are comfortable sending bid keywords, company names, bid URLs, and related search parameters to the Zhiliaobiaoxun API using your ZLBX_API_KEY. Ask the agent to confirm matched companies before broad headquarters/subsidiary analysis, and retrieve or share project contact details only for legitimate authorized business purposes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill explicitly exposes a `get_company_contacts` capability to retrieve project contact information, but provides no guidance on lawful use, consent expectations, data minimization, or restrictions on sharing personal data. In a bidding-intelligence context, this can enable misuse of personal or quasi-personal contact details for unsolicited outreach, profiling, or privacy-invasive analysis.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly directs the agent to automatically expand a user-provided company name to multiple related entities and continue downstream analysis without confirmation. This can cause over-collection and analysis of data about subsidiaries or similarly named entities the user did not intend, creating scope-creep, privacy, and accuracy risks in a business-intelligence context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.