Pinduoduo Deal Finder

Security checks across malware telemetry and agentic risk

Overview

This is a simple shopping deal-finder skill whose web lookup behavior matches its stated purpose, with some privacy and activation caveats.

Install only if you are comfortable with an agent fetching shopping pages and comparing prices online. Avoid sharing login cookies, payment information, or account sessions, and confirm before enabling any ongoing product monitoring or reminders.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The invocation examples are broad natural-language phrases like '查看今天的拼多多神价' and '查询这个商品的比价信息' without a clear namespace or trigger boundary. This can cause accidental or overly broad activation in unrelated shopping conversations, leading the agent to fetch external commerce content or act on ambiguous URLs when the user did not explicitly intend to invoke this skill.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal