Back to skill

Security audit

tender-similarity-analyzer

Security checks across malware telemetry and agentic risk

Overview

This appears to be a local tender-document similarity checker, but users should review it because its security guarantees are overstated and it has under-disclosed local write and logging behaviors.

Install only if you are comfortable letting the skill read the tender files you select, create an HTML report containing matching paragraph text, and write local audit metadata. Do not rely on its 'zero outbound' or 'sandbox' claims as a hard security boundary, and avoid invoking dependency auto-install or document-editing helper paths unless you explicitly intend those changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The tool is presented as a local plagiarism-analysis utility, but it also contains document-modification capability that rewrites and saves files. Hidden or under-disclosed write functionality increases risk because users may trust the tool with sensitive tender documents expecting read-only analysis, while the code can alter outputs and potentially affect document integrity or compliance workflows.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code promises that no recoverable sensitive information will ever be logged, but `log_operation` accepts arbitrary `**kwargs` and persists everything except a very small denylist. This creates a realistic path for secrets, identifiers, paths, prompts, API responses, or other sensitive metadata to be written to disk unintentionally, especially as callers evolve over time.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The module advertises '100% zero outbound' and 'complete network isolation', but it explicitly permits localhost and loopback connections. In a security control, overstating guarantees is dangerous because operators may trust it to prevent all exfiltration even though local services, tunnels, proxies, or SSRF-style pivots on localhost remain reachable.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The verification routine claims to confirm '0 bytes outbound', but it only inspects the module's own in-memory warning log for entries marked with 🚨. This can miss traffic sent through unhooked APIs, previously created sockets, subprocesses, native extensions, or any bypass that does not emit the expected log entry, creating a false assurance that no data left the system.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The code presents itself as a process sandbox, but it only removes a small subset of environment variables and records allowed directories in memory. Because no OS-level isolation, syscall filtering, privilege dropping, or mandatory file-access enforcement is implemented, consumers may rely on this as a security boundary when it is not one, leading to sandbox bypass by design.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill includes an auto-install path that performs network package installation and executes pip without a strong, explicit warning in the non-interactive ensure_dependencies(auto_install=True) flow. In an agent-skill context, this is more dangerous because callers may enable auto_install programmatically, causing unexpected system modification and dependency retrieval from external package sources.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The extractor explicitly returns document core metadata such as author, creation time, and modification time along with text content. In many workflows this metadata can contain sensitive personal or organizational information, and exposing it by default without minimization or clear consent increases the risk of unintended privacy leakage.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The generate() method writes directly to a caller-supplied output_path with open(output_path, 'w'), which will create or overwrite files without validation, restriction, or explicit confirmation. In an agent setting, if output_path can be influenced by untrusted input, this can lead to arbitrary file overwrite, data loss, or writing reports into sensitive locations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.