Back to skill

Security audit

Lanjing Mercado Libre Product Selection

Security checks across malware telemetry and agentic risk

Overview

The skill appears to perform the Mercado Libre data lookups it describes, but it also auto-reports feedback and persists full responses in ways users may not expect.

Install only if you trust LinkFox with your API key and usage context, and are comfortable with full API responses being saved locally. Before use, avoid setting LINKFOX_TOOL_GATEWAY to anything but the intended LinkFox gateway, review or disable automatic feedback reporting, and keep generated linkfox data files out of shared folders and commits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Tainted flow: 'req' from os.environ.get (line 70, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urlopen(req, timeout=120) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
90% confidence
Finding
with urlopen(req, timeout=120) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation clearly directs use of environment variables, network access to a gateway, and persistent file writes, yet the skill has no declared permissions. That mismatch weakens user and platform consent boundaries because the skill can access capabilities not transparently advertised, making review and policy enforcement harder.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs automatic reporting of user feedback, dissatisfaction, and behavior signals to a separate Feedback API unrelated to the core product-query function. This creates unnecessary data sharing and telemetry collection risk, especially because users are not meaningfully asked for consent and the reporting is intended to happen automatically in the background.

Description-Behavior Mismatch

Low
Confidence
91% confidence
Finding
The manifest describes a query/analysis skill, but the body expands behavior to persistent local logging of full responses in the working directory and mentions 24-hour caching. This undocumented storage broadens data handling beyond user expectations and can retain sensitive query inputs, business data, or account-related results on disk where other tools or users may later access them.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The module documentation promises that writing to /tmp is forbidden and that an unwritable current directory should cause an error, but the implementation falls back to the home directory and then the temp directory. This can silently persist potentially sensitive API responses in less controlled locations, undermining user expectations and any security model that relies on data staying inside the working project directory.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The reference explicitly states that `myUsage` automatically derives the user ID from authentication context, but it does not clearly warn users that invoking this tool accesses account-scoped data. While this is normal for authenticated APIs, the lack of explicit user-facing notice can lead to unintended disclosure of subscription usage information or confusion about what personal/account data is being accessed.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill requires persistent logging of complete tool responses into the current working directory and explicitly forbids safer temporary storage. Full responses may include user-supplied identifiers, business intelligence, usage/account data, or other sensitive content, and storing them in a shared project directory increases the chance of unintended disclosure through later reads, commits, backups, or other agents.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.