Back to skill

Security audit

Order From Whole Foods

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Whole Foods ordering assistant with configurable spend and confirmation limits, but users should set conservative purchase settings before use.

Install only if you are comfortable with an agent operating your logged-in Amazon/Whole Foods browser session. For first use, set purchase_mode to add_to_cart_only or confirm_before_buy to true, choose a low max_auto_spend, and leave calendar_blocking_enabled false unless you want delivery or pickup events added automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill’s declared purpose is grocery ordering, but it also instructs the agent to create calendar events automatically when calendar support is present. This expands the skill’s effective authority beyond what a user would reasonably infer from the manifest, increasing the chance of unexpected cross-tool actions and consent bypass for a secondary system.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Automatic calendar modification is not necessary to complete a grocery order and is therefore a context-expanding side effect. Even if intended as a convenience feature, it lets the skill write to another personal data domain, which can create privacy issues, scheduling disruption, or unexpected persistence beyond the ordering task.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill permits high-impact actions—automatic purchase placement and later calendar creation—based on saved configuration, but the description does not prominently warn users that orders may be placed without an interactive confirmation. That weakens informed consent and increases the risk of surprise charges or unintended downstream actions if configuration is stale, misunderstood, or overly permissive.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
- Treat the user's saved config as policy, not as a suggestion.
- `confirm_before_buy: true` always requires confirmation before checkout.
- `purchase_mode: add_to_cart_only` never places an order.
- `purchase_mode: auto_buy` may place the order without confirmation only when:
  - `confirm_before_buy` is `false`
  - the estimated total is known
  - the estimated total is less than or equal to `max_auto_spend`
Confidence
83% confidence
Finding
without confirmation

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.