Back to skill

Security audit

Dropship Helper

Security checks across malware telemetry and agentic risk

Overview

This skill is a static reference helper with misleadingly generic finance-style content, but it does not access credentials, use the network, persist data, or modify the system.

Install only if you want a lightweight static reference. Do not rely on its dropshipping, financial, regulatory, or compliance text as authoritative advice, since the content appears generic and not tightly tailored to dropshipping.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script's behavior does not match the advertised dropshipping business purpose and instead serves generic finance reference content. This kind of capability mismatch is dangerous because it can mislead users, downstream agents, or reviewers about what the skill is actually for, undermining trust and enabling deceptive packaging that could hide unauthorized or irrelevant functionality in a broader toolchain.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.