Back to skill

Security audit

全国采招大数据中心-采招网

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed procurement intelligence helper that uses a third-party bid-data API, with privacy considerations users should understand before use.

Install only if you are comfortable sending procurement queries, company names, and bid-related search terms to the zhiliaobiaoxun.com API using your ZLBX_API_KEY. Avoid entering confidential strategy, secrets, or personal data, confirm whether searches should include affiliates/subsidiaries, and handle any returned contact details only for authorized business purposes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to send user queries and company/procurement search terms to an external third-party API using an API key, but it does not disclose the privacy and data-handling implications. This can lead to unintended exfiltration of sensitive user-provided business intelligence, company names, procurement interests, or investigative targets to the external service.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly instructs the agent to automatically expand a user-provided company name to multiple related entities and continue querying without confirmation. In a procurement intelligence context, this can materially broaden the analysis scope, causing over-collection, misattribution across affiliates, and misleading outputs if unrelated or only loosely related subsidiaries are included.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The API exposes project contact information, including names, partially masked phone numbers, and linked bid records, but the documentation provides no privacy, sensitivity, or permissible-use guardrails. In this context, that omission can lead an agent to surface personal contact data too freely, enabling profiling, unsolicited outreach, or privacy-invasive aggregation at scale.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.