Security audit

Noon 商品数量统计

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do its advertised Amazon product-data extraction, but it relies on automated scraping that advertises CAPTCHA, anti-bot, and geofencing avoidance.

Install only if you are authorized to collect this Amazon data and your use of BrowserAct complies with applicable site terms, law, and organizational policy. Treat BROWSERACT_API_KEY as a secret, run a small test first, and avoid using the skill for bulk scraping, evading access controls, or activity that could trigger account or IP blocking.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The documentation explicitly advertises stealth anti-detection and automatic reCAPTCHA bypass for a task that only needs to count product search results. That adds an evasion capability unrelated to the stated business purpose and can facilitate unauthorized scraping or circumvention of website protections, increasing legal, abuse, and policy-violation risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill description omits an explicit warning that it performs browser automation against an external website using stealth behavior and CAPTCHA bypass. This reduces user awareness of the operational and compliance risks and may cause operators to deploy the tool in contexts where such behavior violates site terms or triggers account/IP blocking.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal