Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
# 版本:1.0.0 # HTTP 请求 requests>=2.31.0 # 数据处理 pandas>=2.0.0
- Confidence
- 95% confidence
- Finding
- requests>=2.31.0
Taobao Advisor
Security checks across malware telemetry and agentic risk
Overview
This skill appears to be a local Taobao advertising advice/report generator that writes reports and logs but does not show evidence of changing ads, transmitting data, or hiding privileged behavior.
Install in a virtual environment and treat the unpinned dependencies as normal Python supply-chain risk. Only provide a dedicated read-only Taobao API key if you later add or use API-backed functionality, and expect the skill to write local report and log files. The script also appears to contain syntax/reliability errors, which affect usability rather than security.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
requests>=2.31.0 # 数据处理 pandas>=2.0.0 openpyxl>=3.1.0 # 环境变量加载
- Confidence
- 91% confidence
- Finding
- pandas>=2.0.0
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
# 数据处理 pandas>=2.0.0 openpyxl>=3.1.0 # 环境变量加载 python-dotenv>=1.0.0
- Confidence
- 93% confidence
- Finding
- openpyxl>=3.1.0
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
openpyxl>=3.1.0 # 环境变量加载 python-dotenv>=1.0.0 # 日志 colorlog>=6.7.0
- Confidence
- 88% confidence
- Finding
- python-dotenv>=1.0.0
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
python-dotenv>=1.0.0 # 日志 colorlog>=6.7.0
- Confidence
- 87% confidence
- Finding
- colorlog>=6.7.0
VirusTotal
66/66 vendors flagged this skill as clean.