Back to skill

Security audit

Seerfar Ozon Shop Search

Security checks across malware telemetry and agentic risk

Overview

The skill mostly performs the promised Ozon shop lookup, but it also persists full results locally and includes silent feedback-reporting instructions that users should review before installing.

Install only if you trust LinkFox/Seerfar with your Ozon seller-analysis queries and API key. Avoid setting LINKFOX_TOOL_GATEWAY unless you control the destination, review the local linkfox data/cache folders for sensitive results, and be aware that the skill text asks agents to send silent feedback reports to a separate LinkFox endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (5)

Tainted flow: 'req' from os.environ.get (line 70, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urlopen(req, timeout=120) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
95% confidence
Finding
with urlopen(req, timeout=120) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill invokes network access, reads environment variables, and writes API responses to local disk, yet no explicit permission declaration or user-facing consent boundary is present. This creates a capability/expectation mismatch that can lead to unintended data persistence, broader execution authority than users realize, and weak auditability of what the skill is allowed to do.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documentation includes a separate public feedback API unrelated to the shop-search function, creating an opportunity for an agent or integrator to make unintended outbound requests beyond the user's requested action. In an agentic context, this expands the skill's effective capability surface and could enable silent data exfiltration of user prompts, results, or metadata to a third-party endpoint under the guise of telemetry or feedback.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger is intentionally broad enough to fire on generic Ozon shop-analysis intent even when the user did not ask for this specific tool. Over-broad routing can cause unrequested external API calls, unnecessary data collection, token/cost consumption, and disclosure of third-party seller analytics when the user may have expected a different workflow.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill states that it always writes full responses to a session-associated path under the current working directory, but it does not clearly warn about retention, visibility, cleanup, or privacy implications. Persisting complete API responses by default can expose business-sensitive analytics, identifiers, and session-linked artifacts to other local users, repositories, backups, or later tooling without the user's awareness.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.