Sourcing in China

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed China-sourcing helper that sends search terms and product URLs to a third-party MCP proxy, with no hidden executable behavior found.

Install only if you are comfortable sending sourcing searches and product URLs to the disclosed third-party MCP proxy. Avoid confidential product plans, proprietary specifications, supplier strategy, or other sensitive business details in queries.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The skill advertises activation on very common terms such as "source," "manufacturer," and "procurement," which can cause unintended invocation in unrelated conversations. Because this skill sends user-supplied queries to an external MCP service, accidental triggering increases the chance of unnecessary third-party data exposure and tool use without clear user intent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal