Smart Shopper

Security checks across malware telemetry and agentic risk

Overview

The shopping features are mostly clear, but the billing helper can charge a SkillPay account by default when invoked with a user ID and API key.

Review this before installing if you will provide a SkillPay API key. Only use it where agent-initiated charges are acceptable, consider wrapping or manually approving billing calls, and periodically clear the local shopping-list and price-tracking files if they contain sensitive buying interests.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The manifest exposes capabilities to access environment variables, write local files, and perform network operations, but it does not declare any permissions or provide user-visible justification for those actions. In a shopping skill, hidden network/file/env access increases the risk of undisclosed data handling, secret use, and persistence beyond the user's expectation, especially because billing and local storage are involved.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The skill description frames the capability as product search and comparison, but the documented behavior also includes local persistence, alerting, and standalone billing/payment-link operations. This mismatch is dangerous because users and platform reviewers may authorize the skill under a narrower trust model while the implementation performs broader actions involving money movement, file storage, and external API interaction.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The manifest omits the price-tracking and alert capability even though it is implemented as a command. Undisclosed tracking features are risky because they can create persistent local state and background-style monitoring semantics that users did not knowingly approve, which is more sensitive in a commerce-oriented skill that may accumulate product interests and behavior over time.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The CLI defaults to performing a charge operation when run, which can cause unintended billing if the caller omits an explicit mode flag or invokes the script incorrectly. In a shopping skill that monetizes per call, this increases the risk of accidental charges and poor consent handling rather than a direct code-execution flaw.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal