Security audit

Vinehoo Product Search

Security checks across malware telemetry and agentic risk

Overview

This is a narrow Vinehoo wine and alcohol product search skill that sends search filters to Vinehoo and does not show local data access, persistence, or hidden privileged behavior.

Reasonable to install if you want Vinehoo product search and same-day inventory statistics. Search terms, price filters, countries, categories, regions, and winery names are sent to Vinehoo, so avoid entering sensitive personal details and verify product pages before buying.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger condition is broad enough to activate on general shopping or recommendation requests involving alcohol, which can cause the skill to run outside its narrowly intended scope. Over-broad activation increases the chance of unintended tool use, irrelevant data access, and user confusion about why a domain-specific external search was invoked.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal