Security audit

Xiwu Inventory

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a coherent household inventory assistant, but it should be reviewed because it can automatically install a global npm or pnpm package without first getting clear user consent.

Install only if you trust the xiwu-niangzi package and are comfortable with an agent running a global npm or pnpm install. Prefer installing and verifying the CLI yourself first, review any update or delete confirmations carefully, and avoid storing sensitive household details unless you are comfortable with them being available to local inventory alerts or purchase-suggestion workflows.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to automatically install a global npm/pnpm package when `xiwu` is missing, which expands its behavior from inventory management into software installation. Global package installation executes untrusted package-manager workflows and modifies the host environment, creating supply-chain and unauthorized system-change risk without explicit user approval.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill requests unrestricted shell access and then uses it for package-manager operations unrelated to the core inventory function. Broad shell capability increases the blast radius of prompt misuse, command construction mistakes, or compromised dependencies, especially because the skill is designed to perform write actions and environment changes.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The trigger set contains very broad everyday phrases, making accidental invocation more likely in unrelated conversations. In this skill, mis-triggering is more dangerous because the skill can perform state-changing inventory operations and may attempt environment setup, so an unintended activation could lead to unwanted reads, writes, or installation prompts/actions.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill authorizes automatic CLI installation on first interaction without requiring explicit informed user consent beforehand. That creates unauthorized software installation risk and, combined with npm/pnpm, introduces a direct supply-chain path from normal user conversation to host modification.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.