Back to skill

Security audit

AI投标策略顾问-报价与竞争策略

Security checks across malware telemetry and agentic risk

Overview

This skill is a real bidding-analysis integration, but it automatically creates and persists service credentials, fingerprints the device, and preserves signed access links in reports without enough user control.

Review this before installing if you are uncomfortable with automatic account creation, device fingerprinting, local API-key storage, or signed vendor links being saved into shareable reports. Prefer setting your own ZLBX_API_KEY first, avoid sharing generated HTML reports unless you trust the recipients, and treat any sk or auto-login URLs as sensitive unless the provider clearly says they are safe to redistribute.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documents local file reads and writes, including reading a config file and writing HTML reports, but does not declare corresponding permissions. This creates a transparency and consent gap: the runtime may access local resources users and reviewers do not expect, which increases the risk of unintended data exposure or unauthorized filesystem interaction.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill goes beyond advisory analysis by automatically registering external accounts and initiating onboarding/account-balance flows. This is risky because it causes external side effects on behalf of the user, may transmit device-derived identifiers, and can create accounts or billing state without explicit, granular consent.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The documentation instructs the skill to retrieve credentials from a local configuration file and to store credentials locally. Accessing local secrets is highly sensitive and broader than a simple bidding-advice function, especially when paired with automatic fallback behavior and suppressed user prompting. If misused or extended, this pattern can normalize secret harvesting from the filesystem.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This document instructs the agent to collect device fingerprints, auto-register an account with a third-party service, and persist returned API credentials, even though the skill is presented as a bidding-strategy advisor. That is a material expansion of scope involving host data collection and credential management, which creates privacy, consent, and secret-handling risks unrelated to the user-facing purpose of the skill.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill embeds device fingerprinting, account creation, and auto-login support that are unrelated to bidding advice and instructs the agent to gather platform, architecture, and a hashed MAC-derived identifier from the local machine. Even with hashing, this is still a stable device identifier used for tracking/deduplication, and the mismatch between declared purpose and actual behavior makes the capability more dangerous because users are unlikely to expect it.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The documented flow writes an API key into ~/.zlbx/config.json in the user's home directory and then immediately reuses it, despite the skill being framed as an advisory tool rather than an authentication manager. Persisting credentials in a predictable filesystem path increases the blast radius if the local environment is shared, backed up insecurely, or later accessed by other tools, and it occurs without a clearly separated consented setup step.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The template explicitly requires disclosing raw API-returned URLs containing `sk` authentication-like parameters to end users. If those signed links function as bearer-style access tokens, exposing them in chat output and downstream artifacts can leak privileged access, enable unintended sharing, and weaken access controls. Requiring disclosure of absolute local HTML output paths also reveals host filesystem details that are unnecessary for the user and may aid environment reconnaissance.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file instructs the agent to generate an HTML report by default, write JSON to a temporary file, execute a local script, and then disclose the resulting absolute path to the user without prior warning or consent. This creates an unnecessary side effect on the host environment and exposes local path information, which can surprise users and increase the risk of sensitive data persistence or environment leakage.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The workflow explicitly instructs the agent to read a local tender file, but it provides no requirement to warn the user, confirm consent, or describe how file contents may be processed or transmitted afterward. In a skill that also relies on external APIs, this creates a real privacy and data-handling risk because sensitive procurement documents may be accessed and potentially used beyond the user's expectations.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The workflow mandates outbound API calls with authentication headers, but it does not instruct the agent to disclose this network behavior to the user. While the headers themselves are normal for backend access, the undisclosed transmission of project data to third-party services is a legitimate transparency and privacy issue, especially for commercially sensitive bidding information.

Ssd 3

High
Confidence
98% confidence
Finding
The template mandates preserving and redisclosing original API URLs with `sk` parameters in both chat responses and generated HTML/JSON artifacts. Because `sk` appears to be a login-bypass or signed access parameter, this behavior risks propagating bearer-like secrets into logs, transcripts, files, and user shares, potentially granting unintended third parties access to protected resources. The surrounding bidding-analysis context increases the sensitivity because linked records may contain commercially sensitive procurement intelligence.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.