比货购物助手

Security checks across malware telemetry and agentic risk

Overview

This is a simple Chinese shopping-comparison prompt skill with no code, credentials, persistence, or account-changing powers.

Safe to install as an instruction-only shopping comparison helper. Verify prices, reviews, rebate claims, and seller terms independently before buying, and consider narrowing the trigger phrases if accidental activation would be disruptive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger list includes broad generic phrases such as '哪个好', '买哪个', '商品比较', and '产品对比' that are common in ordinary conversation and could activate the skill when the user did not explicitly intend to invoke it. In an agent environment, unintended activation can lead to unsolicited product-comparison behavior, irrelevant responses, or accidental handling of shopping-related queries outside the intended context.

Natural-Language Policy Violations

Medium

Confidence: 72% confidence
Finding: The skill metadata and content are entirely Chinese and implicitly target a Chinese-language locale without stating any fallback or user language negotiation. This can cause the skill to respond in a language the user did not request, which is primarily a usability and trust issue rather than a direct security flaw, but it may still confuse users and increase the chance of mistaken invocation or misunderstood output.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal