Back to skill

Security audit

娜可露露洗发水推荐助手

Security checks across malware telemetry and agentic risk

Overview

This is a shampoo recommendation skill with optional local image and packaging helper scripts; the concrete issues are broad activation wording and hard-coded local paths, not hidden or malicious behavior.

Safe to install for normal recommendation use. Treat it as a brand-specific commercial recommender, review product claims critically, and only run the optional Python scripts intentionally after changing the hard-coded Windows paths to your own skill directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill is presented as a conversational shampoo recommender, but the documented behavior includes filesystem manipulation, image generation, HTML generation, packaging, testing local file structure, and reads/writes to a fixed local Windows path. This mismatch is dangerous because users and platform reviewers may grant trust or execution context based on the declared low-risk purpose, while the actual capabilities enable broader local file access and artifact generation outside the stated scope.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list is broad and includes generic phrases such as '洗发水' and brand mentions, which can cause the skill to activate in many unrelated conversations. In an agent environment, unintended activation can hijack user intent, inject irrelevant product recommendations, and interfere with safer or more appropriate skills that should have handled the request.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The script writes a file directly to a hard-coded user-specific path on the local system without checking context, confirming with the user, or making the destination configurable. While this appears to be a build/helper script for generating an icon rather than an actively malicious payload, silent writes to fixed filesystem locations are risky because they can overwrite files, fail unpredictably on other machines, or be repurposed in a broader workflow to modify local state unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.