E-commerce Skills

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a disclosed, read-only shopping/product search helper, with no evidence of checkout, credential use, persistence, or hidden behavior.

Before installing, understand that your shopping queries may be sent to the Vistoya catalog service and results may include merchant links. Verify prices, availability, merchant terms, and checkout details yourself before buying; the skill should not submit purchases or handle payment data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill's invocation description is very broad and can match many ordinary ecommerce-related requests, increasing the chance that the skill is triggered in situations the user did not explicitly intend. Over-broad auto-invocation can expose external API usage, unexpected data handling, or unreviewed outputs in a wider set of contexts than necessary.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal