Back to skill

Security audit

Company search wdy

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed WenDaoYun company-lookup skill that sends user-selected company queries to the WenDaoYun API and shows no hidden execution, persistence, or destructive behavior.

Install this only if you intend to query WenDaoYun company records. Keep the API key private, and remember that company names or keywords you search will be sent to WenDaoYun; confirm the selected company before requesting detailed legal, financial, or risk data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description says it should trigger whenever a user wants to query company-related information, which is overly broad and can overlap with many general business, legal, or financial queries. This can cause unintended invocation of the skill, leading to unnecessary external API use, disclosure of user query content to a third-party service, and degraded routing to more appropriate tools.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.