Back to skill

Security audit

Etsy Seller Coach

Security checks across malware telemetry and agentic risk

Overview

This Etsy coaching skill is mostly coherent, but it gives under-scoped advice to move buyer email addresses into third-party marketing tools.

Review carefully before installing. Do not import Etsy buyer emails into external marketing platforms unless customers have clearly opted in and the use is allowed by Etsy rules and applicable privacy or anti-spam laws. Do not share credentials, raw customer lists, or let an agent change listings, ads, refunds, or account settings without explicit approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Natural-Language Policy Violations

High
Confidence
96% confidence
Finding
The skill explicitly instructs sellers to capture Etsy buyer emails into third-party marketing tools, but provides no requirement to obtain consent, verify Etsy policy compliance, or follow privacy laws such as CAN-SPAM/GDPR. In this context, the guidance can lead users to misuse customer data collected through Etsy for off-platform marketing, creating privacy, compliance, and account-enforcement risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.