美逛返利助手

Security checks across malware telemetry and agentic risk

Overview

This is a simple coupon and rebate helper skill with no executable code or credential access, though its broad trigger words and planned social-posting features deserve caution in future versions.

Safe to install as a basic coupon/rebate assistant. Be aware that broad brand-name triggers may activate it when you only mention 美逛 generally. Review future versions carefully before allowing social-group posting, scheduled messages, or automatic shopping-link rewriting, especially if they request account access or posting permissions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger list uses broad branded terms such as “美逛”, “meiguang”, and related coupon/promotion phrases without clear activation boundaries, which can cause the skill to activate in unrelated conversations that merely mention the brand or rebates. In a commerce context, over-broad invocation can misroute users into affiliate, promotional, or coupon workflows unexpectedly, increasing the risk of unwanted promotion, mistaken authority, or social-engineering style steering.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal