Back to skill

Security audit

Mobazha Product Description

Security checks across malware telemetry and agentic risk

Overview

This skill is a legitimate product-description helper, but it tells agents to directly create, update, and potentially bulk-edit live store listings without clear review or confirmation steps.

Review carefully before installing. Use it only if you are comfortable giving an agent authority over Mobazha listings, and require the agent to show proposed titles, descriptions, tags, affected listing slugs, and a diff before any create, update, or bulk operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly says it can publish directly via `listings_create` and `listings_update`, but it does not warn that generated content may be written to live storefront listings. This can cause unintended or unreviewed changes to public product data, especially if an agent auto-executes tool calls from a vague user request.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The existing-listing workflow says the agent will call `listings_get` and then `listings_update`, but it does not disclose that current live listing content will be overwritten. In a commerce context, silent updates can alter customer-facing copy, SEO fields, or compliance-sensitive text without the seller's informed approval.

Missing User Warnings

High
Confidence
97% confidence
Finding
The bulk-generation workflow encourages scanning products and generating better descriptions for many listings, but it omits any warning about wide-scale changes. This is more dangerous because a single prompt could trigger mass edits across a store, amplifying mistakes, harmful content, brand damage, or policy violations across multiple products at once.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.