Apo Cli

Security checks across malware telemetry and agentic risk

Overview

This is a coherent apohealth.de shopping-cart helper, but it can change a live pharmacy cart and stores session/cart data locally.

Install only if you want an agent-assisted apohealth.de shopping workflow. Do not use it for medical advice, review any add/remove/clear action before it runs, complete checkout yourself in the browser, and treat apo_cookies.json and apo_cart.json as private session files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 85% confidence
Finding: The skill documentation declares no permissions while the bundled CLI behavior implies file read/write and network access. This reduces transparency for users and reviewers, making it easier for stateful local storage and remote requests to occur without informed consent. In this context, the risk is amplified because the tool handles pharmacy-related browsing and persists session/cart state locally.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The documented purpose understates several sensitive behaviors: persisting cookies/cart tokens, opening the browser, and exposing local state/path information via a status command. This mismatch can mislead users and integrators about the real security and privacy footprint of the skill, especially when local session artifacts could be reused or inspected by other processes/users.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The documentation says to never complete a purchase, yet it also advertises a checkout command that opens the browser for checkout. Even if the final click is left to the user, providing a direct checkout flow undermines the stated safety boundary and increases the chance of unintended purchase progression.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: These sections document live cart mutation endpoints such as add, update, and clear, but do not warn that invoking them changes a real Shopify session and can affect an actual user's cart state. In a pharmacy context, silent cart changes are more sensitive because they can alter medication selections, quantities, and ordering intent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The sample code includes a ready-to-use addToCart function that performs a real POST to /cart/add.json, yet the surrounding documentation does not include a direct safety notice about modifying live carts. This lowers the barrier to implementing unsafe behavior and could lead an agent or developer to perform unintended pharmacy cart mutations without explicit consent.

Vague Triggers

Medium

Confidence: 77% confidence
Finding: The trigger terms are broad and ambiguous, so the skill may activate for generic mentions of medication, pharmacy, or health products without clear user intent to use apohealth.de. Unintended invocation is more concerning here because the skill can make network requests and modify a persistent cart state on a third-party pharmacy site.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill persists session cookies to a local JSON file without warning the user or applying protective file permissions. Cookies can represent authenticated session state or tracking identifiers, so local disclosure to other users/processes on the same host could enable account/session misuse or privacy leakage.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The cart token is written to disk without notifying the user and without access controls. Although generally less sensitive than full authentication cookies, cart tokens can still expose shopping state and may enable unauthorized cart manipulation or privacy disclosure on shared systems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal