Ecommerce Engine

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only ecommerce playbook with privacy and platform-policy caveats, not a skill that installs code, uses credentials, or performs hidden system actions.

Before installing, treat this as business guidance from a low-trust publisher: verify marketplace rules, use explicit opt-in consent for email/SMS collection, configure analytics pixels only after required cookie/privacy disclosures, and review external paid links before purchasing or relying on them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill recommends installing Facebook Pixel and verifying conversion tracking, which enables behavioral tracking and profiling of visitors. Presenting this without any consent, disclosure, or jurisdiction-specific privacy safeguards can lead users to deploy tracking in ways that violate GDPR/CCPA/ePrivacy requirements and expose customer data to third parties.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The guidance to build an email list from marketplace customers via insert cards and QR codes encourages collecting off-platform customer data from a marketplace relationship without warning about platform rules or privacy obligations. This can lead to policy violations, improper consent capture, and misuse of customer contact acquisition flows in ways that risk account suspension and regulatory exposure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal