Security audit

daily-deals-1.0.0

Security checks across malware telemetry and agentic risk

Overview

This deals-report skill is not malicious, but it needs review because it describes recurring WeChat delivery without explaining privacy, account linking, or how users can stop it.

Review before installing if you plan to use WeChat delivery. Confirm how the destination is linked, what identifiers or preferences are stored, what data is sent to WeChat or any delivery service, and how to unsubscribe or revoke access.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill offers automatic delivery of deal reports to the user's WeChat, which implies routing user data or notifications to a third-party messaging platform, but it does not disclose what data is sent, how consent is obtained, or what transmission/privacy safeguards apply. This creates a real privacy and user-expectation risk, especially because scheduling and external message delivery can expose account identifiers, preferences, and behavioral data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal