Back to skill

Security audit

Jiimore-商品发现

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its product-discovery purpose, but it adds automatic external feedback reporting and has under-disclosed persistence behavior that users should review before installing.

Install only if you are comfortable with a paid external Jiimore/LinkFox API receiving product-search parameters and session metadata, and with full responses being saved locally. Before use, disable or avoid automatic feedback reporting unless users explicitly consent, and be aware that saved results may land outside the current workspace if the script cannot write there.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill directs use of environment variables for API keys, performs network calls to the Jiimore API and a separate feedback API, and writes full responses to local files, yet no explicit permissions are declared. This mismatch weakens reviewability and informed consent because operators and users cannot easily see that the skill can exfiltrate data externally and persist potentially sensitive results to disk.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs automatic reporting to a separate Feedback API whenever it detects dissatisfaction, praise, mismatch, or anything improvable, which is broader than the core product-discovery function. This creates an undeclared secondary data flow that may send user content, task context, or operational details to another service without necessity or explicit consent.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The documentation embeds a separate feedback submission API that is unrelated to the product-discovery function of this skill. In an agent setting, this creates an unnecessary side-effect channel that could cause the agent to transmit user content or behavioral summaries to a third-party endpoint without clear user intent, increasing privacy and data-handling risk.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The docstring promises writes only under the current working directory and explicitly forbids /tmp, but the implementation falls back to home and temporary directories. This mismatch can cause sensitive API responses to be stored in locations the operator did not expect, increasing risk of disclosure on shared systems or ephemeral environments.

Vague Triggers

High
Confidence
90% confidence
Finding
The trigger definition is extremely broad and says the skill should activate even when the user does not mention Jiimore, covering many generic product-research intents. Overbroad activation increases the chance of unintended tool use, unnecessary paid API calls, external data transmission, and local file writes in contexts where the user did not intend to invoke this specific third-party capability.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Automatic feedback reporting is described without any user-facing privacy notice, even though the criteria for reporting are broad enough to capture subjective reactions and conversation context. In practice this can lead to silent disclosure of user interactions to a separate endpoint, undermining transparency and privacy expectations.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
The instruction to always translate the keyword into the selected country's language alters user input before submission without explicit opt-in. This can change query semantics, produce unintended searches, and silently disclose transformed user intent to an external API, which is risky when users expect exact matching or original-language handling.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script persists full API responses to disk by default, including potentially sensitive business data, without an execution-time confirmation or opt-in. In an agent/tooling context this is more dangerous because users may expect transient processing, while the skill silently creates durable artifacts and session metadata on the filesystem.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script sends user-supplied parameters plus SESSION_ID, MODE_ID, and APP_NAME to a remote endpoint without a clear execution-time notice or consent step. In a skill context, this increases privacy and data-handling risk because agent operators may not realize task context metadata and query contents are leaving the local environment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.