Back to skill

Security audit

Etsy商品查询

Security checks across malware telemetry and agentic risk

Overview

The skill appears to query Etsy products as advertised, but it sends an API key to a configurable network gateway and saves full responses locally in ways users may not expect.

Review before installing. Only use it if you are comfortable sending Etsy query parameters and your LinkFox API key to the configured gateway, and check or unset any LINKFOX_TOOL_GATEWAY value before running. Expect full API responses to be saved under a local linkfox directory, with possible fallback to home or temporary storage if the preferred path is not writable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Tainted flow: 'req' from os.environ.get (line 70, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urlopen(req, timeout=120) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
96% confidence
Finding
with urlopen(req, timeout=120) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill declares no permissions, yet it documents executable script usage that relies on an environment variable and can perform network access, and the static analyzer also detected file-write capability. This creates a permission-transparency gap: reviewers and runtime policy may underestimate what the skill can do, increasing the chance of unintended data access, outbound requests, or local file side effects.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill persistently caches and stores full API responses on local disk under predictable directories, even though its advertised purpose is only to query/filter Etsy products. If responses contain account-linked data, business data, or user-supplied query context, this creates unnecessary local retention and cross-session exposure on shared systems.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The documentation claims output is restricted to the current working directory and explicitly forbids /tmp, but the implementation may fall back to the home directory or temporary directory. This mismatch can cause operators to make unsafe assumptions about where potentially sensitive API data is written, increasing the chance of unintended disclosure.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The activation text is extremely broad, stating the skill should trigger even when the user does not mention the tool name as long as they are generally asking about Etsy products or filtering. Over-broad triggering can cause the agent to invoke this skill on ordinary conversations unintentionally, sending user queries to external tooling or changing system behavior without clear user intent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script always writes the full API response to disk before deciding what to print, without a strong user-facing warning at execution time that local persistence is mandatory. In agent environments, returned data may include user queries, identifiers, or service metadata, so silent persistence increases privacy and data handling risk.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.