Back to skill

Security audit

Enterprise Intro

Security checks across malware telemetry and agentic risk

Overview

This enterprise-report skill is mostly coherent, but it needs Review because several templates tell the agent to hide that reports are AI-generated.

Before installing, confirm you are comfortable sending queried company names and related legal-representative identifiers to the configured Qibook/CHINADAAS API using your credentials. For production or external delivery, remove or override the template language that hides AI involvement, disclose AI assistance where appropriate, and require human review before using reports for credit, investment, legal, or counterparty decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (18)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file implements a person-centric legal-representative investment and position inquiry workflow, which goes beyond the manifest's stated enterprise-introduction purpose. This scope mismatch is dangerous because it enables collection and presentation of an individual's cross-company affiliations and role history under a broader enterprise-report skill, increasing privacy, compliance, and misuse risk without clear user expectation or justification.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code derives a legal representative's cross-company relationships by taking the company's 法人 name and querying that person's roles, investments, and control positions across other entities. This is dangerous because it converts a single enterprise query into identity-centric profiling of a natural person, which can expose sensitive business relationships and materially expands surveillance and privacy impact beyond the apparent task.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The template is designed for 社会组织/政府类机构 analysis while the skill metadata advertises an enterprise-focused capability. This scope mismatch can cause the agent to generate incorrect reports, omit enterprise-relevant factors, or misclassify entities, which is a security-relevant integrity issue because downstream users may rely on the output for due diligence or legal/commercial decisions.

Description-Behavior Mismatch

Low
Confidence
87% confidence
Finding
The template instructs the model to prioritize network search results, but the skill metadata does not declare web-search access or freshness guarantees. This can lead to fabricated sourcing, hidden dependency on external retrieval, or user over-trust in unverifiable claims, especially in regulated reporting contexts.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The template explicitly broadens behavior from enterprise analysis to generic organizations and institutions, which conflicts with the skill metadata limiting use to enterprise-focused reports. This can cause the agent to process out-of-scope entities such as public institutions or other organizations, producing misleading outputs, bypassing intended guardrails, and increasing the chance of incorrect or policy-incompatible use.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill metadata says it is for enterprise encyclopedia generation, but this template explicitly targets social organizations, expanding the operational scope beyond what a caller may expect. This can cause the agent to process unsupported entity types, produce misleading due-diligence style outputs, or bypass upstream business rules that rely on the declared enterprise-only scope.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The template directs the model to generate commercial opportunity, credit performance, risk, and going-concern analysis, which goes beyond a basic introductory enterprise encyclopedia and into quasi-advisory assessment. In the absence of strong data provenance, recency controls, and suitability checks, this can lead to high-stakes financial or reputational outputs presented with undue certainty.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function sends the user-supplied enterprise name directly to a third-party API, which is a real data-handling/privacy issue because user queries may reveal sensitive business research intent or non-public targets. In this skill’s context, external API use is expected, but the lack of user-facing disclosure, consent, or clear documentation about data transmission still creates privacy and compliance risk rather than a code-execution flaw.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends an enterprise name directly to external APIs (`/entinfo` and `/historical/historicalBigData`) without any user-facing disclosure, consent step, or indication that the queried company identifier will leave the local agent context. In an enterprise due-diligence or research workflow, company names may themselves be sensitive business intent, so silent transmission can create privacy, confidentiality, and compliance risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends the supplied company name and the derived legal representative name to external API endpoints without any user-facing notice, consent mechanism, or clear disclosure of what related personal/business data will be transmitted and fetched. This is dangerous because users may unknowingly trigger third-party processing of identifying and relationship data, creating privacy, confidentiality, and regulatory exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code sends the user-supplied enterprise name to an external API endpoint via call_api('/relation/related_party', {'entname': entname}, method='GET') without any disclosure, consent flow, or indication in this file that the query will leave the local environment. In an enterprise due-diligence context, company names being researched can themselves be sensitive business-intelligence data, so silent transmission can leak user intent and create privacy/compliance risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The function transmits the supplied enterprise name to external API endpoints without any visible consent, notice, or control at this layer. In an enterprise-intelligence skill, company names can be sensitive investigation targets, so sending them to third-party services may leak user intent, due-diligence activity, or confidential business interest.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code sends the user-supplied enterprise name directly to an external API endpoint without any visible consent, disclosure, or minimization in this file. Even though an enterprise name is not always highly sensitive, queries can reveal the user's research targets, due-diligence activity, or business intent to the backend/API operator, creating a privacy and confidentiality leak.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
The instruction forbidding the model from revealing it is AI is a deceptive behavioral constraint that can mislead users about the source and limits of the generated analysis. In a business due-diligence context, this increases the risk that users over-trust synthetic conclusions, misunderstand accountability, or fail to apply appropriate human review.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The prompt explicitly instructs the model to hide that it is AI-generated, which undermines transparency and can mislead users about the source and authority of the analysis. In a legal/credit-analysis context, this is more sensitive because users may assign undue trust to the report and make business or compliance decisions without understanding its automated nature.

Natural-Language Policy Violations

Medium
Confidence
75% confidence
Finding
The template hard-codes Chinese output with no user language negotiation or documented locale enforcement, which can lead to misunderstood reports, unsafe reliance, or silent failure for users expecting another language. In a diligence and credit-analysis context, language mismatch can materially affect interpretation of risks, obligations, and business facts.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The instruction to hide that the system is AI is a genuine policy and trust-integrity issue. It encourages deceptive behavior, undermines informed user consent, and can make generated analysis appear to come from a human expert, increasing the chance that users place undue confidence in unverifiable conclusions.

Ssd 1

Medium
Confidence
96% confidence
Finding
The instruction to 'hide AI identity' asks the agent to misrepresent the provenance of the generated content, which can bypass transparency controls and mislead users into treating the report as purely human-authored analysis. In a due-diligence or credit-analysis context, this increases trust manipulation risk and can undermine auditability, accountability, and policy compliance.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.