Security audit

VIN车辆车型解析 API

Security checks across malware telemetry and agentic risk

Overview

This appears to be a VIN lookup skill whose external API use is aligned with its purpose, but users should be aware that VINs are sent to a third-party service.

Install only if you are comfortable sending VINs to the configured third-party lookup service and providing the required API key. Treat VINs as potentially sensitive vehicle identifiers, and prefer a version whose README or instructions clearly name the endpoint and data sent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill transmits a user-supplied VIN and the JZ_API_KEY to a third-party service, but provides no user disclosure, consent flow, or privacy notice. VINs can be sensitive identifiers tied to specific vehicles, and silent transmission of both user data and credentials to an external endpoint increases privacy and supply-chain risk if the endpoint is compromised or unexpected.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal