Back to skill

Security audit

Gx Bidding Monitor

Security checks across malware telemetry and agentic risk

Overview

This skill is a real bidding-monitor workflow, but it ships plaintext third-party account credentials and personal contact details in its documentation and config files.

Do not install this version unless you control all listed accounts and have already rotated the exposed passwords, seal/signing password, and related recovery factors. The monitoring logic itself is understandable, but the package should be republished with credentials removed, account fields redacted, and secrets moved to a proper secret store or environment-specific configuration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documents shell execution, local file reads/writes, and browser-driven scraping workflows, but declares no permissions. This creates a trust and review gap: operators may invoke a skill with materially broader capabilities than its manifest communicates, increasing the chance of unintended file access, persistence, or command execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The stated purpose is passive tender monitoring and filtering, but the documented behavior also includes exposing login-required platform lists, displaying stored account identifiers, and writing result/message files locally. That mismatch is security-relevant because users may consent to monitoring without realizing the skill also handles sensitive account data and creates local artifacts that can leak or be reused.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The documentation embeds platform account identifiers and points readers to a file containing fuller authenticated access details. Even if passwords are not always shown inline, exposing usernames, phone numbers, and account mappings materially lowers the barrier to credential stuffing, phishing, social engineering, and targeting of the referenced individuals and organizations.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The manifest says the skill only monitors electricity-related tenders, but the configuration enumerates many unrelated sectors such as real estate, aviation, rail, retail, and generic enterprise procurement. This mismatch undermines user consent and least-privilege expectations, and can cause the agent to collect or process data outside the declared scope.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document claims login is not automatically simulated, yet it keeps a detailed credential ledger for numerous third-party platforms. Even if the current version does not auto-login, embedding reusable credentials in skill docs materially enables future misuse, credential replay, or operator confusion about what access the skill is expected to exercise.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This section embeds live credentials, phone numbers, emails, named contacts, and even seal/password information for multiple third-party procurement platforms. Hardcoded secrets and personal data in a reference file create immediate account-compromise, unauthorized-access, privacy, and downstream fraud risks if the skill or repository is exposed.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
In `--auth-only` mode, the script prints login-required platform names, URLs, and configured account identifiers directly to stdout. That behavior contradicts the stated purpose of only monitoring power-related bidding information and can expose sensitive operational data for unrelated platforms to users, logs, terminals, or calling systems.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code exposes configured account identifiers for login-required sites via `print(f" 账号: {site['account']}")`, which is unnecessary for a monitoring workflow. Even if these are usernames rather than passwords, they provide reconnaissance value and may leak internal identifiers into logs or downstream automation outputs.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill publicly lists account identifiers for login-required services without immediate sensitivity warnings or protective handling, and in at least one row appears to include a password-like value in the table. In context, this is especially dangerous because the skill targets many third-party procurement platforms, making the disclosed accounts attractive for unauthorized access, reconnaissance, and vendor impersonation.

Missing User Warnings

High
Confidence
99% confidence
Finding
This file contains plaintext usernames, passwords, phone numbers, email addresses, and even signing-related details for multiple external services. Anyone with repository or artifact access can immediately reuse those credentials, leading to account takeover, unauthorized procurement access, data exposure, and downstream fraud.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script enumerates login-required platforms and prints associated account information with no warning or masking. In practice this can leak sensitive account metadata to shell history captures, CI logs, terminal recordings, or other observers, increasing the chance of credential targeting or unauthorized access attempts.

Ssd 3

High
Confidence
98% confidence
Finding
The skill documentation acts as a reusable credential and operations ledger, combining account identifiers, passwords, contact details, and instructions for accessing platforms. In an agent-skill context this is especially dangerous because it centralizes sensitive data in a machine-readable form that can be copied, indexed, or reused at scale.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
references/gx_websites.json:11