Bailian Search

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Alibaba Cloud DashScope web-search skill, with the main privacy consideration that searches and the API key are sent to Alibaba Cloud during use.

Install this only if you are comfortable using an Alibaba Cloud DashScope API key and sending search queries to Alibaba Cloud. Avoid searching for secrets, regulated personal data, or confidential business details unless that use is approved.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill clearly requires environment access for `DASHSCOPE_API_KEY` and network access to Alibaba Cloud, but the manifest does not declare explicit permissions. This creates a transparency and consent problem: hosts or users may not get a clear, standardized warning that the skill can exfiltrate prompts/queries to an external service and read sensitive environment data.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill describes real-time search but does not prominently warn users that their search queries are sent to Alibaba Cloud's external service. Users may unknowingly submit sensitive prompts, internal data, or regulated information to a third party, creating privacy, confidentiality, and compliance risk.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal