Noon 商品搜索工具

Security checks across malware telemetry and agentic risk

Overview

This Noon product search skill appears to scrape product listings, but it uses under-disclosed stealth browser automation and broader browsing behavior than its description promises.

Review this before installing. Run it only in a clean browser profile with no logged-in accounts, avoid leaving Chrome remote debugging enabled, and pin or inspect the Node dependencies yourself. Treat the output scope as broader than first-page search results unless the implementation is changed to match the documentation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The use of a stealth evasion plugin introduces unnecessary anti-detection behavior for a simple product search tool, which expands the skill's capability beyond its stated purpose. In this context, stealth makes the automation harder to distinguish from normal browsing and can facilitate scraping in ways that bypass site defenses or operator review, increasing abuse potential.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal