Back to skill

Security audit

Ecommerce Data Export

Security checks across malware telemetry and agentic risk

Overview

This is a simple report-export skill whose file creation and scheduled-report ideas are visible and aligned with its ecommerce reporting purpose.

Before installing, be aware that generated reports may contain business-sensitive product, price, or sales information. Confirm file output paths and any scheduled sending destination before enabling recurring reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases are very broad and map directly to actions like report generation and scheduling without any stated confirmation, scope limits, or approval boundaries. In an agent setting, this can cause overbroad activation, unintended file creation, or recurring scheduled tasks from casual natural-language requests, especially when URLs, product lists, or time-based instructions are mentioned.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill describes exporting Excel/PDF reports and timed generation but does not warn users that these operations may write files or automatically send reports. This missing disclosure increases the chance of users unintentionally causing local file writes, data persistence, or outbound sharing of potentially sensitive business data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.