Back to skill

Security audit

Shopee Store Livestream

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent for Shopee livestream management, but it combines powerful store actions with automatic local saving of potentially sensitive API responses, so it belongs in Review before installation.

Install only in a controlled workspace for users who are allowed to manage the connected Shopee store. Expect this skill to use LinkFox credentials, send authenticated Shopee Livestream requests through LinkFox developerProxy, perform real store mutations when asked, and save response files locally. Avoid using --inline with sensitive data, keep the generated linkfox archive out of source control, and delete stored response files when they are no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill clearly instructs use of shell scripts, network calls, environment variables, and persistent file writes, yet no permissions are declared. This creates a transparency and governance gap: users and the host system may not realize the skill can access tokens, write project files, and call external APIs, increasing the chance of unintended data exposure or unsafe execution.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The shared helper serializes and saves full API responses to local disk for every invocation, which can capture shop metadata, livestream details, comments, media references, and potentially tokens or other sensitive fields returned by upstream services. This exceeds the stated livestream proxying purpose and creates unnecessary at-rest exposure, especially on shared hosts or persistent workspaces.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code creates a reusable local archive structure with session directories, metadata, and a root-level index.jsonl, enabling cross-session accumulation and discovery of historical response data. For a skill whose declared purpose is Shopee livestream management, this broad local data collection capability increases privacy and data-governance risk without clear necessity.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger logic is intentionally broad enough to activate even when the user does not explicitly mention livestream operations, as long as the request could relate to an authorized Shopee store. Over-broad activation can cause the agent to invoke a high-impact skill unexpectedly, leading to unnecessary API actions, token use, or access to store data outside the user's clear intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that full API responses are always written to local project files, but it does not require an explicit user-facing warning or consent before persisting potentially sensitive Shopee data. Livestream responses can include store operational data, comments, metrics, and identifiers, so automatic persistence increases the risk of accidental retention, later disclosure, or inclusion in source control.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example shows an access token being placed directly in a JSON body sent to a proxy endpoint, but provides no warning about credential sensitivity, storage, redaction, or log exposure. In an agent/tooling context, this increases the risk that operators or downstream systems may mishandle tokens, leak them via logs, or reuse real credentials in insecure testing flows.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
This runner sends the shop access token plus user-supplied query/body data through an internal developer proxy, but the file shows no restriction, disclosure, or minimization at this trust boundary. Even if the proxy is intended architecture, proxying privileged API traffic increases exposure because the proxy can log, inspect, or forward sensitive commerce and livestream data, and misuse or compromise of that proxy would affect all authorized stores.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The helper both writes full API responses to disk and may print them inline to stdout for smaller payloads, with no evidence of redaction or user warning. Because this skill interacts with authenticated store APIs, responses may contain commercially sensitive store data, identifiers, comments, media URLs, or credentials/tokens from proxied services, leading to inadvertent disclosure via logs, terminals, or local files.

Ssd 3

Medium
Confidence
97% confidence
Finding
The instructions mandate saving complete API responses into session-scoped files under the current project directory for every call, regardless of sensitivity or task necessity. In this context, that can expose access-adjacent business data across tasks, persist user/store information longer than needed, and leak into shared workspaces, backups, or version control if the project directory is not tightly controlled.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.