Back to skill

Security audit

Jiimore Niche By Keyword

Security checks across malware telemetry and agentic risk

Overview

The core Amazon niche-research tool is coherent, but it also tells agents to silently send feedback and user-intent text to a separate LinkFox endpoint.

Install only if you are comfortable sending Amazon research keywords, filters, and a LinkFox API key to LinkFox. Before use, disable or require explicit approval for the feedback flow, and avoid sending proprietary keywords, business plans, personal details, or unredacted user comments unless that sharing is intentional.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation text is very broad and explicitly says the skill should trigger even when the user does not mention niche analysis, as long as the request loosely relates to market competition or opportunity. Over-broad triggering can cause tool misuse, unintended data disclosure to an external service, and confusion when the wrong skill activates for generic business-research prompts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documentation directs transmission of user-supplied keywords and an authorization secret to an external service without any user-facing disclosure, consent flow, or data-handling warning. In an agent setting, this can cause silent transfer of potentially sensitive business research terms to a third party and normalizes secret-bearing outbound requests without transparency.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
The requirement to translate the keyword into the target country's language changes user input before external transmission without offering a choice or even warning the user. This can misrepresent the user's intended query, send derived data the user did not authorize, and create integrity and privacy issues in multilingual or brand-sensitive searches.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.