Back to skill

Security audit

samOnboarding山姆超市产品上架指导

Security checks across malware telemetry and agentic risk

Overview

This is a procedural guidance skill for Sam's Club food supplier onboarding, with no evidence of hidden code, automatic actions, data access, persistence, or destructive behavior.

Use this as an onboarding checklist and procedural aid, not as official Sam's Club, legal, or food-safety advice. Avoid pasting full bank account numbers, tax IDs, license scans, or confidential contracts into chat; verify official supplier portal channels and upload sensitive documents only through trusted business systems.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description is broadly framed as guidance for the full Sam's Club food onboarding process, without clear limits on when it should activate versus when the base assistant should handle the request. Overbroad activation can cause the skill to trigger on loosely related food, compliance, or onboarding queries, increasing the chance of irrelevant guidance, context hijacking, or inappropriate collection/use of sensitive business documents.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The activation condition combines several broad scenarios such as onboarding process questions, food compliance requests, and feasibility analysis, but does not define boundaries or disambiguation rules. In practice, this can lead to accidental invocation for generic regulatory, retail, or product-advice conversations, exposing users to mis-scoped procedural guidance and increasing the attack surface for prompt-routing abuse.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document instructs users to collect and submit sensitive business, financial, and contact information, including bank account and tax identifiers, but provides no privacy, minimization, storage, or transmission safeguards. In an agent skill context, this increases the risk that users will overshare sensitive data into chat or that the agent will encourage unsafe handling of regulated or confidential information.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.