企业年金查询技能 Pro

Security checks across malware telemetry and agentic risk

Overview

This skill is a legitimate search/reporting tool, but its scripts do more than the advertised enterprise-pension-only purpose and send investigation queries to external services.

Review before installing or running. Use it only if you are comfortable sending target organization names and pension-related queries to external search providers, and do not rely on the scripts for enterprise-pension-only research until the occupational-pension search/report mismatch and broad triggers are fixed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (13)

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The manifest claims the skill is limited to enterprise annuity searches, but several triggers expand activation to broader benefits, compensation, and organization-profile queries. This creates scope drift: users may invoke the skill for unrelated HR or welfare investigations, causing over-collection, misleading outputs, or use outside the declared purpose.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The skill manifest says it only queries enterprise pensions, but the script explicitly searches for and infers occupational-pension information as well. This breaks the declared scope and can mislead downstream users into trusting conclusions about a category the skill claimed not to handle, increasing the chance of incorrect or overbroad investigations.

Description-Behavior Mismatch

Medium

Confidence: 80% confidence
Finding: The script performs bulk investigation over a hard-coded list of organizations rather than handling a user-scoped target inquiry. In a security context this is a capability expansion beyond the stated purpose, enabling mass collection and reporting on multiple entities without explicit operator selection or consent per target.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The report claims mandatory error checks and cross-source verification, but these checklist items are emitted as fixed text regardless of whether validation occurred. This is dangerous because it creates false assurance in an investigative/reporting skill, causing operators to rely on unverified conclusions that may affect decisions about organizations and benefits.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill metadata explicitly says it should query only enterprise pensions and not occupational pensions, but this code path generates a report titled for both and searches/analyzes both categories. That scope expansion can cause collection and reporting of out-of-scope information, producing misleading results and violating user expectations or policy constraints.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The keyword list intentionally includes the query string '企业年金职业年金', directly contradicting the declared scope of the skill. This broadens external searches to a prohibited domain and increases the chance of inaccurate or policy-noncompliant reporting.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: Broad trigger phrases like general benefits or workplace queries can cause the skill to activate in contexts unrelated to enterprise pension lookup. In a search/investigation skill, accidental over-triggering is risky because it can steer users into unnecessary data gathering or produce authoritative-looking reports on topics the skill was not designed to handle.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The manifest does not provide strong trigger-scope guardrails even though the trigger set contains ambiguous shorthand. Without explicit constraints, downstream systems may route loosely related employee-benefit or employer-investigation requests into this skill, increasing the chance of misuse and inaccurate or privacy-invasive reporting.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script sends organization names and search queries, along with an API key, to Tavily without any user-facing disclosure or consent mechanism. In this skill context, organizational investigations may be sensitive, so undisclosed transmission to a third party increases privacy, confidentiality, and compliance risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script overwrites per-company reports and the summary file without warning, which can destroy prior results or mix automated output into a working directory unexpectedly. In an investigation workflow this can lead to loss of audit history, accidental disclosure through generated files, and confusion about which report version is authoritative.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: User-provided company names are embedded into search queries and transmitted to the external Tavily service without any explicit consent notice or data-transmission warning. Even if the input is 'just' a company name, it may still be sensitive in context and exposes user intent and investigation targets to a third party.

External Transmission

Medium

Category: Data Exfiltration
Content: print_info "Tavily 搜索：'$query' (最多 $max_results 条结果)" local response response=$(curl -s -X POST https://api.tavily.com/search \ -H "Content-Type: application/json" \ -d "{ \"api_key\": \"$api_key\",
Confidence: 89% confidence
Finding: curl -s -X POST https://api.tavily.com/search \ -H "Content-Type: application/json" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: print_info "Tavily 搜索：'$query' (最多 $max_results 条结果)" local response response=$(curl -s -X POST https://api.tavily.com/search \ -H "Content-Type: application/json" \ -d "{ \"api_key\": \"$api_key\",
Confidence: 89% confidence
Finding: https://api.tavily.com/

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal