Tender Writer

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward tender-document generator, but users should confirm before sending confidential bid files through Feishu.

Install only if you are comfortable having the agent process bid documents. Before any Feishu delivery, confirm the recipient/account and whether that bid allows external messaging; otherwise keep the generated Word file local in the tender/ directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly states that generated tender documents will be sent via Feishu, but it does not describe any user consent step, destination validation, or warning that sensitive bid materials may be shared with an external platform. In the context of tender writing, documents often contain confidential commercial, technical, pricing, and personnel information, so silent transmission creates a meaningful risk of unauthorized disclosure or compliance violations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal