企业背景调查（智访通）

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed company-research helper that searches public sources, with privacy considerations but no evidence of hidden, destructive, or credential-seeking behavior.

Install only if you are comfortable with company names and search terms being sent to the listed public search engines. Do not paste confidential annual reports, non-public financials, or sensitive internal prospect lists unless you want that material used in the generated report.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill sends user-supplied company names and related search terms to multiple third-party search engines without an explicit disclosure or consent step. This can expose sensitive research targets, customer interests, or internal prospecting activity to external services, which is especially relevant in a business-intelligence context even if the queried data is nominally public.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The output template explicitly instructs the agent to include valuable information extracted from user-provided annual reports or financial data, which risks echoing or redisclosing sensitive user-supplied material beyond the minimum needed for the task. If users paste confidential internal documents or non-public financials, the skill encourages their inclusion in generated reports without any sensitivity check or minimization rule.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal