Tokopedia Unofficial MCP Skill

Security checks across malware telemetry and agentic risk

Overview

This is a text-only Tokopedia shopping helper with no executable code or hidden actions in the reviewed bundle.

Reasonable to install as a shopping assistant skill. Before enabling the separate Tokopedia MCP server it expects, review that server independently, and avoid sending sensitive personal, payment, or account information unless you trust the configured provider.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill advertises itself with very broad trigger language like 'universal shopping tasks' and 'general Tokopedia workflows' without meaningful boundaries. Overly broad invocation criteria can cause the agent to select this skill in situations where it is only partially relevant, increasing the chance of unintended tool use, unnecessary external data access, and confused or misleading task execution.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal