Back to skill

Security audit

Safety Footwear Buyer Assistant

Security checks across malware telemetry and agentic risk

Overview

This is a local buyer-assistance skill that clearly discloses its simulated inquiry flow and does not transmit or store data, though its supplier links should be treated as examples rather than verification.

Before installing, understand that this skill can help draft sourcing questions and search static example products, but it is not a procurement platform and does not verify suppliers, certifications, pricing, MOQ, or order terms. Independently check any supplier and certification claims before using the information for business decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill claims supplier verification, RFQ preparation, and local-only simulated inquiry handling, but the described behavior appears to provide live supplier contact paths and overstates capabilities that are not actually implemented. This can mislead users into trusting incomplete verification or assuming procurement diligence was performed, creating social-engineering and business-process risk in a sourcing context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.