Back to skill

Security audit

Shopee Store Auth

Security checks across malware telemetry and agentic risk

Overview

The skill matches its Shopee authorization purpose, but it handles store tokens and authorization links with broad local persistence, clipboard use, and configurable credential-bearing network endpoints that deserve review before installation.

Install only if you trust LinkFox with Shopee store authorization and token access. Review where local linkfox output folders, ~/.cache/linkfox, temp files, and clipboard history may store authorization material, and avoid setting API base URL override environment variables unless you control the endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

Tainted flow: 'req' from os.environ.get (line 43, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urlopen(req, timeout=60) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
95% confidence
Finding
with urlopen(req, timeout=60) as response:

Tainted flow: 'req' from os.environ.get (line 37, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urlopen(req, timeout=60) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
94% confidence
Finding
with urlopen(req, timeout=60) as response:

Tainted flow: 'req' from os.environ.get (line 39, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urlopen(req, timeout=60) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
95% confidence
Finding
with urlopen(req, timeout=60) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no permissions while its documented behavior includes network access, shell execution, environment variable use, and filesystem writes. This under-disclosure is dangerous because it prevents informed consent and review, especially in a token-handling skill where stored responses may contain sensitive authorization artifacts or metadata.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as authorization and token retrieval, but it also documents persistent local storage of complete API responses in session folders, which may include sensitive store identifiers, token-related fields, or other confidential data. This behavior materially expands the data exposure surface beyond the declared purpose, increasing the risk of credential leakage, lateral access by other local processes, or accidental inclusion in project files and logs.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The helper serializes and persists the full API response to local disk for every call, regardless of whether the payload may include shop tokens, authorization artifacts, or account data. In a Shopee authorization skill, that creates a clear sensitive-data exposure risk because token-reading functionality is explicitly in scope and those secrets may be retained in predictable local paths and later accessed by other local users, processes, or tooling.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code creates per-session metadata and a global index.jsonl recording session IDs, dates, paths, skills called, and data file references across runs. This exceeds the core authorization/query purpose of the skill and introduces undisclosed usage-history tracking that can reveal operational patterns, shop-management activity, and where sensitive artifacts are stored.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The script persistently stores the generated authorization URL in a predictable local file under the user's home cache or temp directory. Authorization URLs often contain one-time tokens, state values, or sensitive parameters, so local persistence increases the chance of token leakage to other local users, processes, backups, or forensic artifacts.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
Copying the authorization URL to the system clipboard exposes potentially sensitive authorization material to any local application or clipboard history manager with access to clipboard contents. This broadens the exposure of a value that should ideally be ephemeral and tightly scoped.

Vague Triggers

High
Confidence
92% confidence
Finding
The trigger logic is overly broad, allowing activation even when the user does not explicitly mention Shopee or authorization. In a skill that can initiate OAuth flows and read access-token-related data, over-triggering can cause unintended handling of sensitive account operations, confusion between user intent and privileged actions, and accidental exposure or storage of store data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This skill explicitly documents an endpoint that returns raw access and refresh tokens, and even suggests handing the returned accessToken to another proxy API. In an agent/tooling context, exposing bearer credentials to the model or downstream components materially increases the risk of credential leakage through logs, prompts, memory, telemetry, or misuse beyond the user's intended action.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Sensitive result data is written to disk automatically, while the only visible indication is a save-status message after the write occurs. Because this skill handles store authorization and token retrieval, users may reasonably expect in-memory processing, not durable storage of secrets, making the lack of prior disclosure and consent especially dangerous.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The metadata/index logic records session history and file references without clear notice that usage telemetry is being stored locally. Even if the content is not the full token payload, these records can still expose which authorization-related skills were used, when they were used, and where associated data files reside, which amplifies privacy and follow-on access risks.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.