Back to skill

Security audit

亚马逊-店铺数据上传

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims for Amazon feed uploads, but it persistently saves sensitive API results more broadly than documented and gives conflicting cost guidance.

Install only if you are comfortable with Amazon feed data, feed document URLs, request bodies, and status responses being saved locally. Before using upload_feed_document, verify the exact file path and destination URL, and treat the credit/cost behavior as unclear until confirmed by the publisher.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill directs use of environment variables, local file reads/writes, network access, and shell-based Python scripts, but it does not declare these permissions explicitly. This weakens user and platform visibility into the skill's effective privileges, increasing the risk of overbroad access and unsafe execution in environments that rely on declared permissions for policy enforcement.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The skill states earlier that usage consumes credits and warns against repeated probing, but later says '不消耗积分'. Contradictory billing and cost guidance can mislead the agent into taking actions the user did not expect, causing unauthorized spending or bypassing cost-safety decision points.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The shared helper writes full API responses to local disk unconditionally, including Feeds API data that may contain seller identifiers, feed metadata, document references, error payloads, and potentially sensitive business data. Because the skill description is about proxying/uploading SP-API feed operations rather than local retention, this creates an unnecessary data-at-rest exposure and increases the blast radius if the host is multi-user, backed up, or later compromised.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
This module contains generalized session indexing, metadata tracking, and workspace file-management logic unrelated to the core Feeds API helper purpose. While not inherently malicious, this expands the skill's persistence and local data inventory capabilities, making silent accumulation and cross-run tracking of activity more likely than necessary for the stated functionality.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly supports uploading local file contents, raw content, or base64-encoded content to a pre-signed external URL, but it does not clearly warn users that the data will leave the local environment and be transmitted to Amazon or another storage endpoint. In an agent/tooling context, this can cause unintended exfiltration of sensitive files or business data if a user or upstream prompt supplies the wrong file path or content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code saves complete responses to disk without any user-facing warning or consent mechanism in this module. Silent persistence of potentially sensitive API output is dangerous because operators may assume transient processing, while the code actually creates local forensic copies that can be read by other users, backup systems, or later malware.

Ssd 3

Medium
Confidence
98% confidence
Finding
The skill instructs the agent to always persist full API responses to a session-based file under the working directory, even when responses may contain seller, account, feed, or document metadata not needed for the user's immediate request. This creates a durable local data exposure risk, especially in shared workspaces, repos, synced folders, or later tool steps that may read and disclose those files.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.