Back to skill

Security audit

Social Security Fund

Security checks across malware telemetry and agentic risk

Overview

This skill is a local calculator and simulated guide for Chinese social security and housing-fund topics, with no evidence of upload, account access, persistence, or destructive behavior.

Safe to use for local estimates and official-channel guidance. Treat query outputs as simulated, prefer guide mode or placeholder identifiers, avoid entering real ID card or account numbers on the command line, and install dependencies in an isolated Python environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The tool accepts highly sensitive personal identifiers such as national ID card numbers and housing fund account numbers, then forwards them to child scripts without any visible privacy notice, masking, minimization, or handling safeguards in this entrypoint. In a social-security/fund lookup context, this increases the risk of accidental exposure in logs, terminal history, downstream errors, or insecure child-script processing.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
beautifulsoup4>=4.11.0
Confidence
95% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
beautifulsoup4>=4.11.0
Confidence
95% confidence
Finding
beautifulsoup4>=4.11.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
98% confidence
Finding
requests

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.