1688 Price Monitor

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward 1688 product lookup helper with expected network use and no evidence of hidden persistence, credential access, or destructive behavior.

Install only if you are comfortable sending 1688 product URLs, item IDs, and search keywords to 1688. Treat returned prices and supplier details as reference data and verify them before business decisions; using a trusted Python environment for the requests dependency is advisable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 72% confidence
Finding: The invocation example uses a broad natural-language trigger for finding suppliers without clear constraints on allowed domains, query scope, or expected user inputs. Overly broad triggers can cause unintended activation, ambiguous execution paths, or use of arbitrary user-supplied links/searches that increase the chance of unsafe network requests or prompt abuse. In this skill, the danger is somewhat limited because the business purpose is narrow, but the lack of constraints still increases attack surface.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal