Bupahua Store

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Bupahua product-search helper, but users should verify displayed prices and protect the local API key.

Install only if you are comfortable storing a Bupahua-specific API key locally and sending product search terms to Bupahua. Keep the .env file private, do not commit it, rotate the key if exposed, and double-check product prices on the official store because the skill may show estimated original prices.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The display logic overwrites the returned price with `price_yh * 1.1`, causing the UI to show an invented 'original price' rather than the actual price supplied by the API. In an e-commerce skill, misrepresenting pricing can mislead users, create compliance issues, and potentially facilitate deceptive sales behavior even if it is not a memory/code-execution flaw.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The markdown instructs users to obtain and store an API key in a local .env file but provides no warning about secret sensitivity, storage risks, or access controls. This encourages unsafe credential handling and increases the chance of accidental leakage through logs, backups, repository commits, or permissive file permissions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal