Tender Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it sends a user-selected tender document to SoMark for parsing, then saves parsed results locally.

Install only if you are allowed to send the tender/RFP contents to SoMark. Keep SOMARK_API_KEY out of chat and shared logs, and review your organization’s procurement-data rules and SoMark’s handling terms before using it on confidential documents.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill instructs the agent to read local files, write parser outputs, access an environment variable, and call an external network service, but these capabilities are not explicitly declared as permissions. This creates a transparency and governance gap: users and platforms may not realize the skill can exfiltrate document contents to a third-party API or write artifacts to disk.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The tool sends the local tender document and API key to a third-party remote service for processing, but the user flow does not prominently warn that potentially sensitive procurement data will leave the local environment. In the context of tender analysis, documents may contain confidential commercial, legal, or government information, so silent transmission creates a real data exposure and compliance risk even if the behavior is part of the tool's intended function.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal