Back to skill

Security audit

Logistics Tracker

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real logistics tracker, but it needs Review because it can automatically use customer/order data to update shipment state and send emails or alerts without per-action confirmation.

Install only if you intend this skill to read order/customer shipment data, call 17Track, maintain local shipment state, and send customer or internal emails. Before live cron use, run dry-run mode, set explicit alert recipients, use least-privilege SMTP/API credentials, disable or review automatic lost/returning transitions, and avoid domain-based order matching for production customer data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill documentation describes access to API keys, SMTP credentials, and local skill data sources, but no declared permissions are present to make those capabilities explicit. This creates a transparency and governance gap: reviewers and users cannot easily understand that the skill reads environment-backed secrets and interacts with other skills' data, increasing the chance of over-privileged or unexpected execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The stated purpose is shipment tracking and notification, but the documented behavior goes well beyond that by reading order-tracker data, maintaining persistent local state, parsing emails/files, linking orders, and auto-registering new shipment records. This mismatch is dangerous because operators may approve the skill for a narrow purpose while it actually processes additional sensitive data and performs broader automation than expected.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The module does more than alert: it automatically changes shipment state to 'returning' or 'lost' based on heuristic anomaly detection, including keyword matching and stale-update thresholds. Because these transitions are side effects driven by potentially noisy or malformed tracking data, a false positive can silently corrupt operational state and trigger downstream business actions.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The module invokes an external SMTP skill via a child process, creating a trust boundary crossing and granting this skill an additional execution capability outside pure anomaly detection. While execFileSync avoids shell injection, the code still launches another script with inherited environment variables, so compromise or misbehavior in the external skill could expose credentials or perform unintended actions.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The code reads local order records and correlates them using sender email domain matching, which is a weak identity signal and can associate extracted tracking numbers with the wrong customer or order. In a logistics context this increases privacy and integrity risk because emails from the same domain, shared corporate domains, or spoofed sender fields could cause unintended cross-order linkage and exposure of linkedOrder data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill automatically sends customer emails and alerts, yet the documentation does not clearly disclose that order and logistics data will be transmitted to external parties and services. Without explicit notice and confirmation controls, the skill can cause unintended disclosure of customer identifiers, shipment metadata, and operational alerts.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Batch processing can persist extracted shipment data into shipment-store automatically once registerShipments is enabled, with no confirmation or approval at the write point. Because the extracted values come from email content, this can create or poison shipment records from malformed, spoofed, or low-quality inputs and may trigger downstream workflows on untrusted data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/anomaly-detector.js:610

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/customer-notify.js:536