App Order Prod Key Stats
Security checks across malware telemetry and agentic risk
Overview
This is a disclosed order-reporting skill, but it needs Review because it queries production business order data with locally supplied database credentials and builds SQL from user input without strong input controls.
Install or use this only if you are authorized to access the JiuShi order database. Use a narrowly scoped read-only account, declare and protect the required password environment variable, replace f-string SQL with parameterized queries and strict allowlists for dates, dimensions, and business sections, and avoid printing credentials or connection details.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
65/65 vendors flagged this skill as clean.