Jingdong

Security checks across malware telemetry and agentic risk

Overview

This is a JD.com product-research helper that only instructs the agent to browse public shopping information and does not request login, payment, persistence, scripts, or personal data access.

Install this if you want an assistant to research JD.com products. Before using any shopping assistant, keep account actions under your control: do not let it log in, add items to cart, or proceed toward checkout unless you explicitly intend that.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The description is broad enough to trigger on generic shopping-related requests such as sending a product name or link, without clearly constraining what actions the skill will take or when it should activate. In an agentic browser-shopping context, overbroad invocation increases the chance of unintended activation and automated interaction with commercial sites on ambiguous user input, which can lead to unwanted browsing, product selection, or purchase-adjacent actions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal