Back to skill

Security audit

Yunlv Compliance Check

Security checks across malware telemetry and agentic risk

Overview

This trade-compliance skill is not clearly malicious, but it overstates high-stakes sanctions, tariff, and HS-code screening capabilities compared with the static heuristic artifacts provided.

Review before installing. Use this only as preliminary trade-compliance assistance, not as a legal or sanctions-screening authority. Verify HS codes, tariff rates, sanctions hits, export controls, and certification requirements against official sources or qualified counsel before acting, and avoid sending unrelated compliance or sensitive business data through the broad "compliance" trigger.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
A description-behavior mismatch is security-relevant here because the skill is positioned as performing sanctions screening, tariff checks, and regulatory verification—tasks where users may rely on the output for legally sensitive decisions. If the implementation actually uses static data, heuristics, or omits real sanctions screening, users could proceed with prohibited or noncompliant transactions under false assurance, creating substantial regulatory and financial exposure.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.