Barcode Inquiry - 商品条码查询

Security checks across malware telemetry and agentic risk

Overview

This skill performs a disclosed product-barcode lookup through JisuAPI using the user's API key, with no evidence of hidden access, persistence, or destructive behavior.

Install only if you are comfortable sending queried barcode values to JisuAPI under your own API key. Use a dedicated key where possible, monitor quota usage, and avoid querying barcodes that reveal sensitive purchases, inventory, or personal context unless you trust the provider.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The invocation guidance is broad enough that an agent may trigger this skill on loosely related phrases about scanning or checking a barcode without clear user consent boundaries. In context, that can cause unintended transmission of product barcodes to a third-party API and accidental use of paid API quota.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The markdown explains that data comes from JisuAPI but does not clearly warn end users that their queried barcode will be sent to a third-party service. This is a privacy and transparency issue because barcode values can reveal purchase intent, inventory, or product associations, and users may not expect external sharing.

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal