xianyu-api-client-skill

Security checks across malware telemetry and agentic risk

Overview

This is a transparent Xianyu API client whose account-changing powers and unsafe automation methods are disclosed and scoped to the stated marketplace API.

Install this only for Xianyu shop automation. Use dedicated least-privilege Xianyu credentials, prefer the confirmed methods and dry-run mode, and only allow _unsafe methods in controlled automation where you have already approved the exact product or order changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The `request_unsafe` path explicitly bypasses the confirmation control for high-risk write operations and can send arbitrary allowed payloads directly to the remote API. In an agent/automation context, this weakens the claimed safety model because callers may invoke destructive actions like delete, modify price, or logistics submission without any user-facing approval at the call site.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal