taobao-dianshang

Security checks across malware telemetry and agentic risk

Overview

This skill is instruction-only and matches its Taobao publishing purpose, but it can publish live seller listings without a required final confirmation step.

Install only if you want an agent to operate a real Taobao/Qianniu seller workflow. Before using it, require the agent to save drafts by default or show the title, category, images, price, stock, shipping settings, and attributes, then wait for an explicit confirmation before any live submit action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill includes a direct final publish action (clicking the submit control) without requiring an explicit user confirmation step immediately before publication. Because this skill automates a real seller workflow on Taobao/Qianniu, an unintended invocation, mis-recognized product details, or agent error could cause an unwanted product listing to go live, creating business, compliance, and reputational risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal