codropshipping查看商品

Security checks across malware telemetry and agentic risk

Overview

This is a simple CoDropshipping product-search helper whose browser and network use matches its stated purpose, with minor user-awareness risks around broad triggers and automatic translation.

Install this only if you want the agent to open CoDropshipping and send product search terms there. Avoid using private or sensitive text in searches, and invoke the skill explicitly when you intend a CoDropshipping lookup.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger list is broad and includes generic phrases like '帮我找' and common product-category terms, which can cause the skill to activate for ordinary user requests that were not clearly intended for this specific tool. Because the skill has browser and network permissions, overbroad activation increases the chance of unintended external browsing and data retrieval, creating unnecessary exposure and user-surprise risk.

Natural-Language Policy Violations

Medium

Confidence: 84% confidence
Finding: The workflow mandates translating search keywords into English without user opt-in, which can alter user intent, reduce accuracy for brand names or exact-match queries, and send transformed data to an external site without transparency. In a browser-enabled skill that performs live searches, forced translation makes the system less predictable and can cause unintended queries or misleading results.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal