Daojia

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned for 京东到家 shopping information, with only a routing-scope caution and no evidence of hidden persistence, credential use, purchases, or account changes.

Install only if you want the agent to help with 京东到家-specific shopping or merchant/product page tasks. Be aware it may activate too broadly for generic shopping requests unless the publisher narrows the description, so review when it is invoked and avoid using it for purchases, payments, or logged-in account actions unless those capabilities are clearly added and disclosed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The invocation description is broad enough to trigger on many ordinary requests related to 京东到家, which can cause the skill to be selected when the user did not explicitly ask for this specific capability. Over-broad routing increases the chance of unnecessary web access or automation on a third-party platform and can bypass user intent boundaries, especially for location-sensitive shopping content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal