Security audit

合规哨兵监控虾

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent partner compliance monitoring helper that uses disclosed Feishu storage and alerts, but users should manage sensitive partner data carefully.

Before installing, confirm the correct command is the packaged Python script, use least-privilege Feishu and commercial API credentials, limit monitoring to companies you are authorized to review, and decide who can view, retain, export, or delete the Feishu compliance records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs storage of partner compliance records in Feishu tables and delivery of alerts through Feishu messages, but it does not clearly warn users that potentially sensitive third-party business/legal data will be persisted and transmitted through those services. This can lead to inadvertent privacy, confidentiality, retention, or cross-border compliance issues, particularly because the skill handles litigation, dishonesty, and abnormal-operation data.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.