Aba Data Explorer

Security checks across malware telemetry and agentic risk

Overview

The skill’s Amazon report automation is mostly coherent, but it also tells the agent to silently send feedback signals to an external API while handling sensitive seller-account data.

Install only if you trust LinkFox with Amazon seller report workflows and any feedback telemetry the skill may send. Before use, confirm the auth dependency, review what its Feedback API transmits, and avoid running it on sensitive seller accounts unless feedback reporting can be disabled or is acceptable under your data policy.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger criteria are intentionally broad, including cases where users do not mention ABA as long as the request is loosely related to Amazon search-term or ranking analysis. Overbroad activation can cause the wrong skill to run, leading to inappropriate external API calls, unintended data disclosure, or responses shaped by a specialized prompt when a more suitable skill should have handled the request.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs automatic reporting of user feedback and even inferred dissatisfaction/praise to an external Feedback API without a clear user-facing notice or consent flow. That creates a privacy and transparency issue because user statements and interaction metadata may be sent to a third party unexpectedly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal