VIN配件精准译码

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward VIN parts lookup skill that sends VIN and part-name queries to a disclosed external API using a required provider key.

Install only if you trust the provider and are allowed to send VINs, requested part names, and requests tied to your JZ_API_KEY to the disclosed external API. Use a dedicated API key where possible and avoid submitting vehicle data your organization treats as confidential unless that sharing is approved.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill sends user-supplied VIN and parts queries to an external service and requires an API key, but it does not clearly warn users that their submitted vehicle-related data will leave the local environment. This creates a privacy and data-governance risk because users may disclose sensitive or regulated operational data without informed consent or understanding where it is processed.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script transmits a 17-character VIN, requested part names, and an API key to a third-party remote service. Even though this is core to the skill's business purpose, VINs can be sensitive vehicle-linked identifiers and the code provides no consent notice, data minimization, or policy checks before exfiltrating user-supplied data to an external endpoint.

VirusTotal

No VirusTotal findings

View on VirusTotal