Back to skill

Security audit

Taobao Query

Security checks across malware telemetry and agentic risk

Overview

This Taobao helper is not clearly malicious, but it gives an agent broad access to a logged-in shopping session, including cart, orders, browsing history, arbitrary page navigation, and seller chat, without enough confirmation boundaries.

Install only if you intend to let the agent use your logged-in Taobao desktop session. Keep the MCP server on trusted localhost when possible, avoid pointing TAOBAO_MCP_URL at an unknown server, and require explicit confirmation before add-to-cart, seller messages, order/cart viewing, browsing-history access, arbitrary URL navigation, clicks, or text entry.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is presented as a Taobao price/info query tool, but its documented capabilities include broader browser-like actions such as arbitrary navigation and URL opening. This mismatch weakens least-privilege boundaries and can cause the agent to access or act on pages outside the user’s expected product-query scope.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
`navigate_to_url` allows opening any URL, which is unnecessary for a Taobao-focused querying skill and creates a path to arbitrary external sites. If invoked by prompt injection or ambiguous user requests, it could expose the agent to phishing pages, data exfiltration endpoints, or unintended cross-site actions.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger description is broad enough to match general shopping or support-related requests, increasing the chance of unintended activation. Overbroad invocation can cause the skill to access cart, orders, chat, or browsing functionality when the user only asked a generic question.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation guidance relies on broad keyword mentions like price, cart, order, and shop without requiring clear action intent. This ambiguity raises the risk that the agent will invoke the skill for loosely related conversations and access sensitive account-linked shopping data unnecessarily.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill permits sending messages to sellers or customer service on the user’s behalf, but does not require explicit consent or preview before outbound communication. This can lead to unintended disclosures, impersonation of the user, or irreversible external actions triggered by ambiguous prompts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Access to browse history can reveal sensitive interests, purchase intent, or account-linked behavioral data, yet the skill provides no privacy warning or consent requirement. In this context, the capability is more dangerous because the skill also includes broad invocation rules that may expose personal shopping activity unexpectedly.

Scope Creep

Low
Category
Excessive Agency
Content
---
name: taobao-query
description: Query Taobao product prices and information through MCP (Model Context Protocol). Use when the user asks about product prices, searches for items on Taobao, compares prices, or wants to find the best deals on specific products. Triggers on phrases like "淘宝价格", "多少钱", "查一下价格", "销量", "店铺" or any product-related price inquiries. Can also perform other Taobao operations like viewing cart, checking orders, chatting with customer service, etc. - but NEVER payment or financial operations.
---

# Taobao Query Skill
Confidence
83% confidence
Finding
also perform other

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.