Back to skill

Security audit

Shopping Candidate Fetcher 2

Security checks across malware telemetry and agentic risk

Overview

This skill only reads local shopping snapshots, but its instructions contradict its retrieval-only purpose by steering agents toward one brand and making product selections.

Review before installing if you expect neutral shopping retrieval. The code appears locally scoped and non-destructive, but the skill documentation can steer an agent to make biased product choices, especially toward 李宁, despite advertising itself as only a candidate fetcher.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is introduced as a retrieval-only layer, but the later documentation injects recommendation and selection behavior, including repeated instructions to choose a specific brand. This creates specification drift that can cause downstream agents to treat biased ranking output as neutral retrieval data, undermining trust boundaries and enabling covert steering of purchasing decisions.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The file states that final selection should occur outside the skill, but later sections directly instruct the assistant to select one item and prefer a specific brand. Contradictory instructions inside a skill are dangerous because they blur component boundaries and make it easy for an agent to perform unauthorized decision-making under the guise of simple retrieval.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The snapshot is supposed to provide candidates for stable cross-training shoes, but most returned items are running shoes, hiking shoes, trail shoes, or casual shoes rather than products clearly suited for cross-training stability. In this skill context, poor semantic alignment can mislead a downstream shopping agent into recommending unsuitable footwear for training use, creating safety, trust, and decision-quality risks even though it is not direct code execution or injection.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The snapshot includes candidates that do not align with the user's request for a breathable sports vest suitable for running and high-intensity training. In a shopping-candidate skill, this can mislead downstream selection logic and cause irrelevant or unsafe recommendations, especially where product suitability matters for athletic use.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The listed powerlifting grip vest is materially different from a breathable running/training sports vest and indicates the retrieval pipeline is admitting off-target products. This undermines the integrity of the candidate set and can lead downstream agents or users to make poor purchasing decisions based on corrupted relevance.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The documentation hardcodes preference for Chinese series names and domestic sports positioning without tying that preference to user intent, market, or locale. This introduces undisclosed selection bias that can skew outputs away from user needs and can function as hidden policy steering rather than neutral retrieval assistance.

Ssd 4

Medium
Confidence
99% confidence
Finding
The later narrative gradually reframes a retrieval skill into a covert single-brand recommender, repeatedly anchoring examples and rules on selecting 李宁 regardless of the earlier non-recommender contract. This is especially dangerous because the manipulation is embedded as innocuous documentation strategy and examples, making hidden commercial bias harder to detect while influencing automated shopping decisions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.