Back to skill

Security audit

Product Research

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Amazon product-research skill that queries market data and produces business recommendations, with no evidence of hidden persistence, destructive behavior, or credential theft.

Install this only if you want an agent to perform Amazon product research using a SellerSprite-style data backend. Review the external data-layer dependency and any API credentials it requires, and treat the output as business analysis rather than a guaranteed financial decision.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger examples are generic product-analysis requests and do not clearly bound when the skill should activate, which can cause the agent to invoke this skill in unrelated contexts. Over-broad activation increases the chance of inappropriate tool use, unintended data access through linked backends, or incorrect responses when a narrower skill should have been selected.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
The skill description hardcodes a Chinese-language interaction pattern without offering language negotiation, which can override user preference and lead to confusing or inaccessible output. While not a direct security exploit, it can degrade user control and increase the chance of misinterpretation of business recommendations or risk information.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.