bidding-tracker

Security checks across malware telemetry and agentic risk

Overview

This bidding tracker is not plainly malicious, but it needs Review because it handles sensitive procurement data with broad local file access and weak access boundaries in some query/script paths.

Install only in a controlled workspace and run it from trusted directories. Keep DB_PATH and ATTACHMENTS_DIR fixed to approved locations, do not pass arbitrary local files to evaluate, and review the role/query controls before using it for sensitive military, government, or commercial procurement records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (21)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill invokes shell commands, reads local files, and consumes environment-based configuration, but does not declare any permissions or trust boundaries. This creates hidden capability exposure: an agent or reviewer may assume the skill is metadata-only while it can access local documents, configuration, and execute CLI actions that modify persistent state.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The declared description frames the skill as a bidding lifecycle tool, but the documented behavior also includes account administration, direct reading of local config under ~/.config, parsing arbitrary local tender files, and writing evaluation outputs back into project records. This mismatch weakens user consent and review accuracy because higher-risk behaviors are not obvious from the top-level description.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The documentation instructs that state can be changed outside the normal CLI workflow via direct database writes or cron-triggered transitions. Bypassing the state machine and audited command path can undermine integrity controls, enable unauthorized or inconsistent status changes, and make forensic review harder.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The prompt directs the model to generate strategic bid-winning tactics, score-optimization, and pricing countermeasures that go well beyond the declared scope of bid-opportunity tracking. In this procurement context, that expands the skill into proposal manipulation and competitive gaming, creating a meaningful risk of unfair or deceptive conduct if used operationally.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The prompt instructs the model to select the 'most lethal entity' and ask the user for ways to fill capability gaps, including external sourcing paths, which is not reflected in the skill's stated purpose. That hidden expansion of authority can facilitate circumvention of qualification limits or opaque teaming/subcontracting decisions without appropriate governance.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The ID-based lookup returns any project record without verifying the caller’s identity or applying the same role restrictions used in list queries. In a bidding-management tool, project records may contain sensitive commercial and government procurement information, so a user who can invoke this script can enumerate IDs and access unauthorized project details.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The documentation states that project queries are role-filtered, but the implementation does not apply that protection to --id lookups. This mismatch is security-relevant because operators and downstream automation may rely on the documented access control behavior and unknowingly expose unrestricted project-detail access.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The skill manifest says it only handles bidding lifecycle tasks and explicitly excludes unrelated business functions, but the code exposes user/team management operations such as users and adduser. That scope expansion creates administrative capability beyond the declared purpose, increasing the chance of misuse and privilege abuse inside an agent environment.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: extract_document_text accepts an arbitrary file path and reads local PDF, DOCX, or text content, with no directory allowlist, type verification beyond extension, or business-scope restriction. In an agent setting, this is effectively a local file read primitive that can be abused to exfiltrate sensitive host data under the guise of tender evaluation.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The evaluate command does more than bid tracking: it packages full document contents, prompts, and profile data into a payload for LLM consumption. That turns the skill into a document extraction/orchestration channel, which materially broadens capability and raises confidentiality risk if sensitive tender files or unrelated local files are processed.

Description-Behavior Mismatch

High

Confidence: 92% confidence
Finding: This script implements user bootstrap, privilege assignment, and user enumeration, which materially exceeds the stated scope of a bidding-tracker skill. Because it creates the first director account without any external trust validation and authorizes new users based only on a caller-supplied ID, it introduces a sensitive identity/authorization surface that can be abused if exposed through the agent or automation layer.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: `query_by_id()` directly returns any project row by numeric ID and the `main()` path for `--id` does not require or enforce `--user-id`, so the role-based filtering implemented in `query_all()` is completely bypassed for detail lookups. In a bidding-management tool, project details can contain sensitive procurement timelines and business opportunity data, making this a direct insecure direct object reference / missing authorization issue rather than a harmless inconsistency with documentation.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill states that provided files are automatically moved into an attachment directory, but does not clearly warn the user that the original file location will change and that the file may persist on disk. Silent relocation of local files can cause data handling surprises, break user workflows, and increase exposure of sensitive procurement documents.

Missing User Warnings

Low

Confidence: 81% confidence
Finding: The prompt silently instructs the model to read and rely on profiles.md, but does not disclose to the user that another local file will influence the output. This creates a transparency and data-governance issue: users may unknowingly receive advice shaped by hidden internal data, which can expose sensitive business information or produce unexplained recommendations.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The list command returns all users' identifiers, names, roles, contact details, and timestamps with no authorization check at all. Any local caller able to run the script can enumerate personally identifying information, which is especially sensitive in a business bidding context where staff identities and contact data may be confidential.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The evaluation response directly returns document_text to the caller without warning, confirmation, or redaction. Because the file path can come from attachments or user-provided input, this behavior can disclose sensitive procurement content or arbitrary local file data to the agent/user layer.

Ssd 4

Medium

Confidence: 93% confidence
Finding: The 'interactive sniper' framing, combined with staged score attrition, hidden-cost pricing deltas, and tactics for overcoming capability gaps, steers the model toward manipulative bid-optimization behavior. In a government/military procurement setting, that context makes the pattern more dangerous because it can support unfair competition, deceptive proposal shaping, or advice aimed at exploiting procurement mechanics rather than ensuring compliant participation.

Credential Access

High

Category: Privilege Escalation
Content: # 快照进程原有的键（这些键不会被覆盖） original_keys: frozenset[str] = frozenset(os.environ.keys()) user_env = Path.home() / ".config" / "bidding-tracker" / ".env" cwd_env = Path.cwd() / ".env" # 读取两个文件，CWD 优先（后者覆盖前者相同的键）
Confidence: 84% confidence
Finding: .env"

Credential Access

High

Category: Privilege Escalation
Content: original_keys: frozenset[str] = frozenset(os.environ.keys()) user_env = Path.home() / ".config" / "bidding-tracker" / ".env" cwd_env = Path.cwd() / ".env" # 读取两个文件，CWD 优先（后者覆盖前者相同的键） merged = _read_dotenv(user_env)
Confidence: 84% confidence
Finding: .env"

Credential Access

High

Category: Privilege Escalation
Content: def get_evaluate_prompt() -> str: """返回评估分析 prompt 内容（自动触发 .env 加载）。优先级：~/.config/bidding-tracker/evaluate_prompt.md > 包内默认 """
Confidence: 86% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: def get_profiles() -> str: """返回投标主体战略资产库内容（自动触发 .env 加载）。优先级：~/.config/bidding-tracker/profiles.md > 包内默认用户可编辑 ~/.config/bidding-tracker/profiles.md 更新公司资质/业绩，无需修改代码。
Confidence: 81% confidence
Finding: .env

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal