返利提醒官

Security checks across malware telemetry and agentic risk

Overview

This is a non-executable rebate reminder skill with disclosed alert behavior, though users should be careful about what shopping and contact details they connect to it.

Before installing or using it with real accounts, enable only notification channels you trust and avoid sharing full order numbers, rebate balances, phone numbers, email addresses, or WeChat details unless the service clearly asks for consent and lets you disable alerts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger list includes broad, everyday phrases such as '省钱提醒' and '高返提醒', which can easily overlap with normal conversation and cause unintended invocation. In a skill that may send proactive notifications or act on user shopping interests, accidental triggering can expose preferences, generate spammy behavior, or cause unintended processing of user data.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill advertises multiple outbound notification channels including app push, WeChat, SMS, and email, but does not disclose what user data is shared through those channels, how consent is obtained, or how contact details are stored and used. Because rebate reminders may include order status, product interests, balances, or coupon information, this creates a meaningful privacy and data-handling risk if messages are sent without clear opt-in and minimization.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal