ecom-price-monitor跨境电商价格监控神器 - 竞品一动，秒级预警

Security checks across malware telemetry and agentic risk

Overview

This is a coherent ecommerce price-monitoring skill, with ordinary setup and no evidence of hidden exfiltration or destructive behavior, but it needs careful credential and scraping hygiene.

Before installing, review the product URLs and monitoring frequency, respect marketplace terms and rate limits, keep API keys, SMTP passwords, webhooks, and 1688 cookies out of prompts/logs/source control, and leave email or webhook notifications disabled unless you trust the destination.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (8)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly advertises scheduled automated scraping, competitor monitoring, and email/Feishu notifications, but it does not warn users about legal, compliance, rate-limiting, account, or privacy risks associated with scraping third-party sites and sending outbound alerts. This omission can lead users to deploy the skill in ways that violate platform terms, trigger blocking, or expose monitored data through notification channels.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README instructs users to obtain and use a logged-in 1688 Cookie but does not warn that session cookies are sensitive credentials equivalent to account access. This can lead users to paste, store, or share active session tokens insecurely, increasing the risk of account takeover, privacy exposure, or accidental credential leakage through config files, logs, or support requests.

Unpinned Dependencies

Low

Category: Supply Chain
Content: requests>=2.31.0 beautifulsoup4>=4.12.0 schedule>=1.2.0 pyyaml>=6.0
Confidence: 96% confidence
Finding: requests>=2.31.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: requests>=2.31.0 beautifulsoup4>=4.12.0 schedule>=1.2.0 pyyaml>=6.0 pandas>=2.0.0
Confidence: 96% confidence
Finding: beautifulsoup4>=4.12.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: requests>=2.31.0 beautifulsoup4>=4.12.0 schedule>=1.2.0 pyyaml>=6.0 pandas>=2.0.0 python-dotenv>=1.0.0
Confidence: 95% confidence
Finding: schedule>=1.2.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: requests>=2.31.0 beautifulsoup4>=4.12.0 schedule>=1.2.0 pyyaml>=6.0 pandas>=2.0.0 python-dotenv>=1.0.0
Confidence: 97% confidence
Finding: pyyaml>=6.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: beautifulsoup4>=4.12.0 schedule>=1.2.0 pyyaml>=6.0 pandas>=2.0.0 python-dotenv>=1.0.0
Confidence: 92% confidence
Finding: pandas>=2.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: schedule>=1.2.0 pyyaml>=6.0 pandas>=2.0.0 python-dotenv>=1.0.0
Confidence: 93% confidence
Finding: python-dotenv>=1.0.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal