物达通 ERP

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent ERP helper, but it gives agents broad authenticated ERP access and weakly scoped routing and credential practices that users should review before installing.

Install only if you trust the publisher and intend to let an agent operate against this WindaKa ERP environment. Before use, restrict who can invoke raw API calls, avoid broad knowledge searches for unrelated questions, protect or rotate any RAGFlow API key entered during setup, and require explicit confirmation for write or bulk-access operations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The skill gives conflicting instructions about token-expiry handling: one section says the CLI does not automatically re-login, while the error-handling table says it auto-triggers login and provides a new link. In an agent-driven workflow, this inconsistency can cause failed auth recovery, stalled tasks, or incorrect assumptions about when user interaction is required, which is a security-relevant reliability flaw for authenticated ERP actions.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The documented `api` fallback grants a caller arbitrary authenticated access to backend ERP endpoints, which significantly exceeds the narrowly described workflows of querying knowledge, work orders, projects, directory, fees, and reports. In an agent setting, this broad primitive can be used to reach sensitive or destructive APIs the skill manifest did not explicitly scope, increasing the risk of over-privileged actions, data exfiltration, and policy bypass.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The document explicitly instructs the agent to use a generic raw API call to `/workorder/master/getAllList` for a full work-order overview, which goes beyond the safer user-scoped shortcuts such as `+list` and `+handle-list`. In an agent setting, this materially increases the chance of overbroad data access, enumeration of records across projects or users, and accidental retrieval of sensitive operational data whenever the model chooses the raw API path.

Vague Triggers

High

Confidence: 97% confidence
Finding: The metadata description says that, except for explicit small talk, 99% of user requests should first invoke this skill. That creates an overbroad routing rule that can hijack unrelated requests into a high-privilege ERP/knowledge tool, expanding unnecessary data access and increasing the chance of unintended operations or sensitive retrieval.

Vague Triggers

High

Confidence: 96% confidence
Finding: The instruction '其他所有问题 → `knowledge +search`' is an ambiguous catch-all that routes all remaining user queries into the skill. In practice, this can cause the agent to overuse enterprise knowledge retrieval for unrelated prompts, potentially exposing internal content or mishandling user intent by defaulting into an enterprise system when no clear match exists.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The document instructs users to set a RAGFlow API key directly on the command line without warning about credential sensitivity, shell history exposure, logging, or least-privilege handling. In practice, this can cause secret leakage through terminal history, screenshots, process inspection, or copied transcripts, especially in shared admin or agent environments.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill documentation instructs users to enter a long-lived RAGFlow API key, store it in plaintext configuration, and even shows masked-but-displayed key output after saving. This operationalizes secret handling without warning about credential sensitivity, file permissions, rotation, shell history leakage, or use of a secure secret store, increasing the chance of credential disclosure and downstream unauthorized access to the knowledge base service.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: This section normalizes retrieval of work-order details and user search results that include personal and operational data such as contact names, masked phone numbers, room/parking identifiers, department names, and user directory information, without any privacy minimization guidance. In a skill intended to answer most ERP questions by default, that omission makes it more likely the agent will disclose PII or internal staff data too broadly or to the wrong requester.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The raw API section advertises privileged overview endpoints such as `/workorder/master/getAllList` and related statistics/approval listings with no warning about bulk access, least-privilege use, or sensitivity of the returned records. Because the skill description says 99% of user questions should route through this skill, the context makes this more dangerous: the agent may treat broad ERP access as normal and expose large-scale internal operational data.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The interactive setup normalizes collecting the user's RAGFlow API key in a terminal workflow and then displaying saved configuration details including a partially revealed key. In real environments, terminal sessions may be recorded, shoulder-surfed, copied into chat, or logged by tooling, so normalizing this pattern materially increases secret exposure risk.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The manual configuration section explicitly shows plaintext credential entry via command line and states that the API key is stored in ~/.erp-cli/config.json. Command-line arguments can leak through shell history, process inspection, audit tooling, screenshots, and plaintext local files, making secret compromise more likely.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal