Back to skill

Security audit

Xiwu Inventory

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a coherent household inventory assistant, but it should be reviewed because it can automatically install a global npm or pnpm package without first getting clear user consent.

Install only if you trust the xiwu-niangzi package and are comfortable with an agent running a global npm or pnpm install. Prefer installing and verifying the CLI yourself first, review any update or delete confirmations carefully, and avoid storing sensitive household details unless you are comfortable with them being available to local inventory alerts or purchase-suggestion workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to automatically install a global npm/pnpm package when `xiwu` is missing, which expands its behavior from inventory management into software installation. Global package installation executes untrusted package-manager workflows and modifies the host environment, creating supply-chain and unauthorized system-change risk without explicit user approval.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill requests unrestricted shell access and then uses it for package-manager operations unrelated to the core inventory function. Broad shell capability increases the blast radius of prompt misuse, command construction mistakes, or compromised dependencies, especially because the skill is designed to perform write actions and environment changes.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger set contains very broad everyday phrases, making accidental invocation more likely in unrelated conversations. In this skill, mis-triggering is more dangerous because the skill can perform state-changing inventory operations and may attempt environment setup, so an unintended activation could lead to unwanted reads, writes, or installation prompts/actions.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill authorizes automatic CLI installation on first interaction without requiring explicit informed user consent beforehand. That creates unauthorized software installation risk and, combined with npm/pnpm, introduces a direct supply-chain path from normal user conversation to host modification.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.