Ecommerce Trend Radar

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a documented e-commerce research helper, but its paid-use flow tells clients to send payment credentials over plain HTTP.

Review this skill carefully before installing or integrating it. The trend-reference content itself is low risk, but do not send payment credentials or paid requests to the documented HTTP endpoint unless the publisher provides an HTTPS endpoint with clear credential-handling and replay-protection guidance.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs clients to send payment credentials in an HTTP header and shows a non-TLS gateway, but provides no warning about transport security, credential sensitivity, logging exposure, or replay risks. Payment tokens transmitted over plaintext HTTP can be intercepted by network attackers or exposed through proxies, logs, and middleware, potentially enabling fraudulent reuse or account abuse.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The payment protocol advertises an http:// gateway for a paid transaction flow, which exposes payment metadata and follow-on requests to interception or tampering in transit. In a payment context, lack of TLS is especially dangerous because users and integrators may treat the documented endpoint as authoritative and send sensitive payment-related data to it.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal