OPC商城

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward e-commerce helper that sends order and shipping details to its documented shopping service, with a privacy-notice gap users should understand.

Before installing or using this skill, be comfortable sending recipient name, phone number, address, and order items to the documented OPC ordering service. Provide only the details needed for fulfillment and avoid using it for sensitive shipments unless you trust the service’s privacy practices.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to collect and transmit sensitive personal data including phone number, consignee name, and street address to an external service, but it provides no user-facing privacy notice, consent step, retention limits, or warning that the data leaves the local environment. This increases the risk of users unknowingly disclosing PII to a third-party endpoint and creates compliance and privacy exposure if the endpoint mishandles the data.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal