拼团返利达人

Security checks across malware telemetry and agentic risk

Overview

This is a lightweight shopping rebate instruction skill with no executable code or credential access, though users should review any promotional sharing before use.

Before installing, treat rebate rates, product rankings, and commission estimates as suggestions unless verified against current merchant data. Do not let the assistant post to groups, share promotional links, join purchases, or imply affiliate/commission neutrality without your explicit review and any required disclosure.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger list includes broad phrases such as general shopping and group-buying terms that can match routine user conversation unrelated to an explicit request for this skill. This can cause unintended invocation, increasing the chance the agent generates promotional links or rebate guidance in contexts where the user did not clearly consent.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly supports generating share links and sending recommendation lists to group chats, but it does not warn users about risks such as spam, unwanted promotional messaging, affiliate disclosure obligations, or sharing tracking/commission links into third-party groups. In a social-commerce context, this omission can facilitate misuse at scale and expose users or recipients to deceptive or unsolicited promotions.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal