Buyma Order Automation

Security checks across malware telemetry and agentic risk

Overview

This skill matches its BUYMA order-automation purpose, but it asks agents to use logged-in browser sessions and send order files by email or Telegram without enough recipient, consent, or data-scope controls.

Install only if you are comfortable with an agent operating in your logged-in BUYMA and Naver Mail browser profile and handling order workbooks. Before use, require manual confirmation before any email or Telegram send, verify recipients/channels, avoid attaching sensitive files unless necessary, and treat browser/mail/Telegram steps as procedural placeholders unless you implement and test them yourself.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill describes reading from and writing to multiple local filesystem locations, but it does not explicitly declare those capabilities or bound their scope. Hidden or implicit file access is risky because it reduces transparency for reviewers and users, and could enable unintended access to historical order files or other local data if the implementation expands.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The skill claims to perform browser automation, BUYMA interaction, memo updates, CSV download, Naver Mail sending, Telegram notification, and deadline-driven orchestration, but the described package only provides local helper scripts and placeholder references for those critical actions. This mismatch is dangerous because operators may trust the skill to perform business-critical or failure-handling steps that are not actually implemented, causing silent operational failures, missed deadlines, or insecure manual workarounds.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The README says critical behaviors such as BUYMA interaction, Naver Mail sending, and Telegram fallback are placeholders, while the skill metadata describes them as operational behavior. This mismatch can cause operators or downstream agents to rely on unimplemented automation for order processing, notifications, or failure handling, leading to missed deadlines, silent failures, or unsafe manual workarounds.

Intent-Code Divergence

Low

Confidence: 81% confidence
Finding: Labeling the package as an 'executable skeleton skill' while also claiming several components are 'included as real code' creates ambiguous trust boundaries around what is actually safe to execute. In an automation context involving browser actions, workbook updates, and outbound communications, that ambiguity increases the chance of partial execution, operator misunderstanding, and accidental exposure of sensitive business data through incomplete controls.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill states that result files may be attached and sent through Telegram on failure, but it does not disclose the sensitivity implications of sending order data through a third-party messaging platform. If operators use this fallback without clear warning or controls, customer or order information could be exfiltrated to an external service that may not meet data-handling requirements.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The run mode explicitly instructs the agent to send Telegram notifications with file attachments when failures occur, which can transmit order/workbook data to an external service without any stated user confirmation, minimization, or sensitivity checks. In this skill context, the attached files likely contain order and customer-related business data, so automatic exfiltration during error handling increases privacy and data-leak risk.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The ad hoc mode says to send mail immediately after building the workbook, but provides no warning, confirmation gate, or validation of recipients despite likely handling order-range data. Because this skill automates business order processing, immediate external transmission can cause unintended disclosure, especially for ad hoc requests that may be broader than expected or operator-supplied.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The workflow explicitly sends the generated workbook by Naver Mail and sends failure notifications with file attachments via Telegram, but it does not mention any user consent, data minimization, destination validation, or warning that order data will leave the local environment. Because the workbook and attachments likely contain customer/order information, this creates a real risk of unintended external data exfiltration or privacy/compliance violations during normal operation or error handling.

Session Persistence

Medium

Category: Rogue Agent
Content: --- name: buyma-order-automation description: automate buyma order processing for regular daily runs and ad hoc order-range runs. use when chatgpt needs to access buyma in chrome, check or fill receipt memo numbers, download or use a provided buyma csv, write the tmazon order workbook, enrich rows from prior workbook history, and send the result by naver mail before a deadline or after an ad hoc request. stop immediately and notify by telegram with file attachment on buyma, csv, or mail failure. --- # Overview
Confidence: 84% confidence
Finding: write the tmazon order workbook, enrich rows from prior workbook history, and send the result by naver mail before a deadline or after an ad hoc request. stop immediately and notify by telegram with f

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal