Back to skill

Security audit

Agentic Commerce — Lifestyle, Wellness, & Gifts

Security checks across malware telemetry and agentic risk

Overview

This is a real shopping skill for one store, but its payment and error-recovery instructions do not consistently require user approval before high-impact steps.

Install only if you want an agent to shop through forthecult.store. Require the agent to show the cart, total, shipping details, payment chain/token, and destination address for your approval before checkout or payment instructions, and do not allow automatic error recovery to change purchase, payment, identity, or wallet details without asking you.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The example purchase flow instructs the agent to reveal the payment address and amount immediately after checkout, even though the skill elsewhere requires explicit user confirmation before providing payment instructions. In a commerce skill that can initiate checkout for physical goods, this inconsistency can cause an agent to advance a financial transaction without a distinct confirmation gate, increasing the risk of unauthorized or unintended purchases.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger conditions are broad enough to activate this third-party commerce skill for generic shopping, gifting, and buying requests, not just clear For the Cult-specific requests. That increases the chance an agent routes users into an autonomous purchase workflow and begins collecting shipping, email, and payment preferences in situations where narrower store-specific invocation would be safer.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This example duplicates the same unsafe pattern: it provides payment instructions immediately after checkout without a separate explicit confirmation step, contradicting the stated safety guardrails. In a crypto-payment flow, exposing the exact destination address and amount too early can push users toward irreversible payment before they have clearly approved the transaction.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This checkout specification instructs agents how to create real purchase orders and includes fields for email, shipping address, and payment details, but it does not explicitly warn that invoking the endpoint transmits personal and transaction-related data to an external checkout API. In an agentic commerce context, that omission can cause users or downstream integrators to share sensitive data without clear notice or consent, increasing privacy and compliance risk.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The wallet discount section says the API checks on-chain CULT token balance, but it does not present this as a user-facing privacy warning or consent requirement. Because wallet addresses are persistent identifiers that can reveal transaction history and holdings, silently submitting them for eligibility checks can expose more user data than expected, though the impact is narrower than the full checkout request.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly tells agents to use server-provided `suggestions` to auto-recover without human intervention. Because those suggestions can direct the agent to alter queries, call other endpoints, or change request parameters, this creates a prompt/data-driven workflow where untrusted API output can steer follow-up actions without adequate validation or user confirmation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The auto-recovery pattern recommends automatically executing the first suggestion, including rerunning searches, calling other endpoints, and fixing fields, all based on error content. Since error payloads are externally supplied data, this can let a compromised or buggy backend manipulate agent behavior, causing unintended requests, silent data mutation, or chained actions the user did not approve.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.