Zepto

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but it can act inside a logged-in grocery account and may clear cart contents without a clear per-action confirmation.

Install only if you are comfortable letting the skill operate in your logged-in Zepto browser session. Confirm the delivery address, cart contents, total, and payment link before proceeding, and be especially careful with smart-shop or clear-cart because they can remove existing cart items. Use a separate browser profile or clear the session after use if you do not want persistent access.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (15)

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The documentation says the skill must never click Pay, yet earlier workflow steps instruct clicking Zepto's payment button to enter the payment flow. This contradiction weakens safety guarantees and can cause the agent to perform a higher-risk transaction step than users or reviewers expect.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The skill contradicts itself on whether cart clearing after payment should happen automatically or only with user approval. Because cart clearing is destructive state change, inconsistent guidance can lead to unintended removal of items or replay-prevention logic that acts without valid consent.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill metadata describes grocery ordering and payment-link behavior, but the code also enumerates and changes saved delivery addresses. That expands the skill's authority beyond the disclosed purpose and can redirect orders to a different location, creating integrity and privacy risk for the user.

Intent-Code Divergence

Low

Confidence: 84% confidence
Finding: The implementation injects arbitrary JavaScript into the live Zepto page to traverse the DOM and click elements, while the docstring frames it as a simple direct click. This hidden use of page-script execution increases capability beyond normal UI automation and could be repurposed to access or manipulate more page state than users would expect.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The file implements and exports a full cart-clearing primitive that can remove all existing items from a user's Zepto cart, even though the described skill purpose is grocery ordering rather than account/cart hygiene. In a commerce context this is destructive state-changing behavior affecting a user's purchase intent, and it can be invoked without any built-in authorization, confirmation, or scope restriction.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: Exporting generic low-level helpers such as snapshot, click, and type gives downstream callers broad UI automation capability beyond the stated goal of ordering groceries. This increases the attack surface because other code can reuse these primitives to navigate arbitrarily, trigger unintended actions, or bypass higher-level safety checks that the skill should enforce.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The example workflow automates adding an item to the cart and ends with a success message without any guidance to confirm the product, quantity, price, or obtain explicit user approval before performing a purchase-affecting action. In a grocery-ordering skill, this normalizes state-changing commerce actions and increases the risk of unintended purchases, especially if later integrated into broader checkout flows.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The example phrases are ordinary grocery-shopping requests and do not clearly require an explicit skill name or activation boundary. In environments with multiple tools or background agent routing, this can cause the Zepto skill to trigger on casual shopping language and initiate cart actions or payment-link workflows without sufficiently clear user intent.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The Quick Start section instructs users to say common phrases like "Order groceries from Zepto" and "Add milk and bread to my Zepto cart" without defining strict activation constraints. Because this skill can perform real-world commerce actions, ambiguous activation increases the chance of unintended ordering flows, especially when paired with remembered preferences and automated checkout steps.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README states that the skill handles phone-number and OTP login and uses WhatsApp payment links, but it does not warn users about sensitive credential handling, phishing risk, session persistence, or how their contact/payment-related data is stored and protected. In a commerce skill, missing safety guidance around OTPs and out-of-band payment links materially raises the risk of account takeover, unauthorized purchases, and social-engineering abuse.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The invocation examples are ordinary phrases a user might say in casual conversation, which increases the risk of accidental activation of a skill that can browse an authenticated grocery account, inspect saved addresses, and modify a cart. In a transactional skill, broad triggering is more dangerous because unintended execution can produce real-world purchases or account changes.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: Discovery mode is triggered by vague phrases like 'show me' or 'find something,' which are common in normal chat and not specific to Zepto ordering. Since discovery can drive browser automation and expose shopping/account context, ambiguous activation broadens the attack surface for unintended or prompt-induced actions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The clear-cart operation performs a destructive action immediately, with no explicit confirmation gate or strong warning. In a shopping context, this can silently remove a user's existing intended purchases, causing loss of state and potentially leading to mistaken orders.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Smart shopping clears existing cart contents by default when items are already present, without requiring explicit consent at invocation time. Because this skill operates on a real commerce account, default-destructive behavior is especially risky and can overwrite user intent in a way that is disproportionate to the advertised convenience feature.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The clearCart routine performs a destructive action by clicking all detected Remove buttons and does so automatically, with retries, without any user-facing warning or confirmation. In an e-commerce skill this can silently discard a user's existing selections and interfere with active purchases, making accidental or unauthorized invocation harmful.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal