Haresh Product Search

Security checks across malware telemetry and agentic risk

Overview

This is a small product-search skill that sends search queries to an n8n webhook, with no evidence of hidden access, persistence, or destructive behavior.

Install only if you trust the n8n workflow that will receive product search queries. Confirm or configure the actual webhook URL before use, and avoid entering sensitive personal, financial, or business information into product searches.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill forwards raw user-provided input to an external webhook, which is a real data exfiltration boundary because user queries leave the local skill environment and are transmitted to a third party. The code shows no user notice, consent flow, allowlisting, minimization, or validation, so sensitive user-entered content could be disclosed externally without clear expectation.

External Transmission

Medium

Category: Data Exfiltration
Content: exports.search_products = async function ({ query }) { const response = await fetch("https://your-n8n-webhook-url", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ query })
Confidence: 91% confidence
Finding: fetch("https://your-n8n-webhook-url", { method: "POST"

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal