Security audit

shopping-list-fashion

Security checks across malware telemetry and agentic risk

Overview

This skill is a small shopping-list prompt with no included executable code, but users should verify the referenced script and API key before using it.

Before installing, confirm that any shopping_list_fashion.py script you use comes from a trusted source and inspect what service LIST_API_KEY belongs to. Use a limited-scope API key if possible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill's activation guidance is very broad, using generic triggers like 'shopping related functionality' and 'fashion operations' without clear boundaries or user-intent checks. This can cause the skill to be invoked in contexts where it is not the best match, increasing the chance of unintended execution, confusion, or unsafe composition with other tools.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal