Naver Shopping Search

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Naver Shopping search helper that uses disclosed Naver API credentials and shows no hidden, destructive, or persistent behavior.

Install only if you are comfortable sending product search queries to Naver and providing Naver Search API credentials via environment variables. Keep those credentials out of logs and version control, use the narrowest available API scope, and rotate them if they may have been exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The documentation names required API credentials in `.env` but does not warn users not to print, log, commit, or otherwise expose those secrets. In a skill context where an agent may inspect files or echo command context, missing handling guidance increases the risk of accidental credential disclosure rather than direct compromise by itself.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal