Volcengine Documentation

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Volcengine documentation lookup skill that sends user queries or document URLs to the documented Volcengine docs API.

Install this if you want agents to search official Volcengine documentation. Avoid sending secrets, private architecture details, or sensitive customer data in Volcengine questions, because search terms and supplied document URLs are sent to Volcengine's documentation API.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill clearly instructs use of external HTTPS endpoints and a local script that performs network access, yet no explicit permissions are declared. That creates a transparency and governance gap: an agent or reviewer may not realize the skill can exfiltrate prompts or retrieve untrusted remote content, and permission enforcement may be bypassed depending on the platform.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger text says any request involving Volcengine products, consultation, usage questions, or documentation queries should preferentially invoke this skill. That scope is broad enough to cause over-invocation, pulling in remote documentation or steering the agent away from safer or more appropriate tools, which can expose user data to external services and increase attack surface.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal