返利网购物助手

Security checks across malware telemetry and agentic risk

Overview

This is a simple Chinese-language cashback shopping assistant with no code or install-time behavior, though users should verify any rebate links before buying.

Install only if you want a Fanli-focused cashback assistant. Treat generated rebate links as commercial links, verify the destination domain before purchasing, and avoid entering payment, bank, Alipay, or account credentials through unverified links.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger list includes broad phrases such as '购物返现' and '返利网优惠' that could match ordinary shopping-related queries, causing the skill to activate when the user did not explicitly intend to use this specific service. In an e-commerce context, unintended invocation can misroute users into affiliate or cashback flows, affecting user autonomy and potentially steering purchases.

Natural-Language Policy Violations

Medium

Confidence: 67% confidence
Finding: The skill is entirely defined in Chinese and targets Chinese-language trigger phrases without stating locale restrictions or offering user choice. This can lead to poor routing, confusion, or exclusion for users in mixed-language environments, though it is primarily a product safety and usability issue rather than a direct security exploit.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal