汽车配件 - 多维参考价查询

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward auto-parts price lookup skill that sends user-provided part codes to a disclosed pricing API and shows no hidden persistence, destructive behavior, or unrelated data access.

Install only if you trust the 积智数据/qipeidao pricing service and are allowed to send the part codes you query to that provider. Use a dedicated JZ_API_KEY where possible and avoid submitting sensitive business or customer-associated data without approval.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation states that part codes are sent to a third-party API endpoint but does not clearly warn users that their query data leaves the local/OpenClaw environment. This can lead to unintentional disclosure of potentially sensitive commercial, inventory, or customer-associated data to an external service without informed user consent.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal