招标情报采集

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a tender-reporting tool, but one report mode runs an unbundled workspace script through a shell and the package asks for tender-site cookies and a Feishu webhook without clearly scoped runtime use.

Review before installing. Use it only in a workspace where you trust any `scripts/generate-report-v8.mjs` file, and do not provide tender-site cookies or Feishu webhook secrets until you understand which local scripts will read and use them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Context-Inappropriate Capability

Medium

Confidence: 80% confidence
Finding: The skill imports and uses child_process.spawn to execute external Node scripts via the --report path, which expands its capability beyond simple local tender-data search. Although the current script names are hard-coded, invoking a shell and executing files from workspace paths increases risk if those files or directories can be modified by another actor, leading to unintended code execution within the skill context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal