元宝搜索标准版Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward TencentCloud web search client, with the main caution that search terms are sent to TencentCloud using the configured API key.

Install only if you are comfortable sending search queries and parameters to TencentCloud WSA. Use a dedicated API key with quota or billing controls, do not search for secrets or sensitive internal information, and treat returned web snippets as untrusted external content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill says it performs web search but does not clearly warn that user queries are transmitted to TencentCloud's Web Search API and external search infrastructure. This can cause unintentional disclosure of sensitive prompts, internal project names, or personal data if users assume the query stays local.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script sends the user's search query directly to Tencent's remote Web Search API, which discloses potentially sensitive user input to a third-party service. In an agent skill context, queries may contain private data, internal prompts, tokens, or user secrets, and the code provides no user-facing notice, consent flow, or minimization before transmission.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal