萤火虫报价助手V5

Security checks across malware telemetry and agentic risk

Overview

This is a coherent quotation-helper skill with local product data and a calculator; its main caveat is overpromised validation/export behavior, not malicious activity.

Before installing, verify that the publisher is authorized to issue quotes for the named company, and have final prices reviewed before sending them to customers. Public results show the listed company/homepage exists, but that does not prove this marketplace upload is official. ([fireflies.net.cn](https://www.fireflies.net.cn/?utm_source=openai))

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The skill claims broader functionality than appears to be implemented, including full quotation generation, validation, and export behavior, while the underlying behavior is incomplete or different. This is dangerous because users or downstream agents may rely on nonexistent validation, output generation, or workflow controls, leading to incorrect quotes, misplaced trust, or unsafe automation decisions based on fabricated or partial business logic.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal