Taobao Listing

Security checks across malware telemetry and agentic risk

Overview

This is a local Taobao copywriting helper, but it can create unverified commercial claims and stores entered arguments locally without clear notice.

Review before installing. Treat all generated copy as draft placeholder text, and do not publish claims about sales, ratings, certifications, guarantees, buyer reviews, endorsements, or incentives unless they are true, documented, and compliant with Taobao and advertising rules. Avoid entering sensitive client, product-launch, or campaign details unless local history logging is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script records user-supplied arguments into a local history file via `_log` without any notice, consent, or opt-out. While this is not code execution, it can expose sensitive prompts, product ideas, business data, or accidentally pasted secrets to other local users, backups, or support bundles, making it a real privacy/security issue.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal