Didichuxing

Security checks across malware telemetry and agentic risk

Overview

This appears to be a documentation-style API skill with sensitive examples, not a hidden or automatic data-exfiltration tool.

Reasonable to install if you need this API guidance. Do not paste real client secrets, employee phone numbers, billing details, or trip locations into examples unless you are authorized to use that data and the provider’s privacy and retention terms are acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The enterprise API example explicitly sends an employee phone number plus origin and destination address data to an external endpoint, which are sensitive personal and travel data elements. Even though this is documentation/sample code rather than an auto-executing workflow, failing to warn about data sensitivity, consent, and applicable privacy requirements can lead users to implement unsafe integrations or transmit personal data without adequate notice or controls.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The token acquisition example transmits client_id and client_secret to obtain an access token but does not state that these credentials are highly sensitive secrets. Readers may incorrectly embed secrets in client-side code, logs, or examples copied into insecure environments, which could enable unauthorized API access if the credentials are exposed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal