ClawHub
Back to skill

Security audit

PDD Shopping Assistant

Security checks across malware telemetry and agentic risk

Overview

The skill advertises no-login shopping advice but also tells agents to perform login-required cart, group-buy, coupon, and checkout-preview actions.

Review this carefully before installing. It may be useful if you explicitly want an agent to help inside a logged-in Pinduoduo session, but its description says no login while its instructions go further. Do not use it unless you are comfortable supervising every cart, group-buy, coupon, and checkout-preview step, and keep payment and final order submission manual.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The manifest promises a strict boundary of no login, no order submission, and no payment, but the body of the skill later authorizes authenticated cart, group-buy, coupon, and order-preview actions. This mismatch is dangerous because platform or policy gates may rely on the manifest summary, causing the skill to be approved or invoked under a lower-risk assumption than its actual behavior.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The capability table expands the skill from advisory browsing into authenticated commerce operations such as adding to cart, joining group buys, applying coupons, and generating order previews. Even without payment, these are state-changing actions on a user's account and materially exceed a no-login assistant boundary, increasing the risk of unintended purchases, account misuse, or deceptive skill scoping.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The workflow includes a logged-in cart and pre-order phase, including adding items, joining or initiating group buys, applying coupons, and preparing an order summary. Those steps directly manipulate the user's shopping state and contradict the skill's advertised safe boundary, making the skill more dangerous in practice than operators or users may expect.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The workflow explicitly documents cart, group-buy, coupon, and order-preview actions that go beyond the skill's declared boundary of read-only shopping evaluation with no order submission or payment. This creates scope expansion risk: an agent following the guide could manipulate a user's shopping state after login and move them materially closer to purchase, contrary to the advertised safety model.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The order preview section instructs the agent to click the checkout button and extract order details, which advances the purchase flow despite the manifest stating no order submission. Even if payment is not completed, entering checkout can expose sensitive account data, modify platform state, and normalize behavior that exceeds user expectations for a read-only evaluation assistant.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Documenting add-to-cart and initiate/join-group actions is unnecessary for the stated purpose of evaluating product value and seller risk. These actions can alter the user's cart or participation state and may trigger notifications, reservations, or pricing consequences, making the skill more dangerous in context because the declared use case is advisory, not transactional.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The document claims 'clear safety boundaries' while simultaneously including login-required and purchase-adjacent workflows, which is a misleading safety representation. This discrepancy can cause downstream agents or users to trust the skill more than warranted, increasing the likelihood of over-privileged browser actions being taken under a false sense of safety.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal