zhipu web search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Zhipu web-search wrapper that sends user-provided search queries to Zhipu using the configured API key, with no hidden persistence or destructive behavior found.

Install this only if you are comfortable sending search queries to Zhipu/BigModel under your Zhipu account. Use a revocable API key if possible, avoid putting secrets or confidential material in queries, and rotate the key if you stop using the skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs users to send arbitrary search queries and an API credential to a third-party service without any warning that prompts may contain sensitive data or that data leaves the local environment. In an agent setting, this can cause unintentional disclosure of proprietary, personal, or regulated information to an external provider.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal