military bidding fetcher

Security checks across malware telemetry and agentic risk

Overview

This appears to be a disclosed procurement-notice scraper that fetches public bidding listings and writes Excel reports, with some broad trigger wording users should understand.

Install only if you want a local Python scraper that contacts the named procurement sites and creates Excel files. Prefer the explicit /milb-fetcher command, set output paths intentionally, and run it from a trusted directory because local .env configuration can affect keywords, proxy use, regions, and output location.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The top-level description includes broad activation phrases such as '抓取商机' and '查新' that could match ordinary user conversation instead of an intentional tool invocation. Over-broad triggering can cause the agent to start network scraping and file-generating behavior unexpectedly, increasing the chance of unintended external requests and data handling.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The standalone trigger list contains vague terms like '抓取', '采集', '爬虫', and '查新' without contextual constraints. These generic words are likely to appear in benign conversation, making accidental activation more likely and allowing the skill to initiate scraping behavior when the user may only be discussing those topics.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal