Back to skill

Security audit

Shopee Store Merchant

Security checks across malware telemetry and agentic risk

Overview

The skill appears to query Shopee merchant data as advertised, but it automatically saves full sensitive responses locally with weak storage boundaries.

Install only if you are comfortable with Shopee merchant, shop, warehouse, and prepaid-account responses being saved locally in full. Use it in a private workspace, keep the LinkFox API key protected, avoid committing the linkfox output directory, and delete saved session data when it is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill describes capabilities to read environment variables, write files, invoke shell scripts, and make network requests, yet it declares no permissions or user-facing constraints. This creates a transparency and policy-enforcement gap: a caller may trigger sensitive actions without informed consent or least-privilege review, especially since the skill also handles merchant tokens and API responses.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
emit_result() serializes and writes full API responses to local disk under predictable session directories. In this skill context, Shopee merchant API responses can contain merchant metadata, shop lists, warehouse details, and prepaid-account information, so indiscriminate persistence creates a sensitive-data-at-rest exposure well beyond the stated proxy/query function.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code builds a local archive system with session IDs, metadata, index.jsonl, and per-session data catalogs for merchant responses. That turns a transient API helper into a data collection and retention mechanism, increasing exposure, discoverability, and replay value of sensitive merchant information if the host is shared or compromised.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger logic is intentionally broad, stating the skill should activate even when 'merchant' is not explicitly mentioned, as long as the request could relate to authorized cross-border merchant information. Over-broad activation increases the chance of the wrong skill running on ambiguous prompts and exposing merchant/shop data or causing paid API calls without sufficiently specific user intent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs persistent storage of complete API responses in the project directory by default, but does not require an explicit warning or consent flow before storing potentially sensitive merchant information. This creates unnecessary data retention risk because merchant/account details may remain on disk, be accessible to other tools in the workspace, or be committed/synced unintentionally.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The helper writes API responses to disk silently, without any user-facing disclosure in this file that merchant data will be retained locally. The absence of notice and consent increases privacy/compliance risk and makes users/operators less likely to apply appropriate controls for the stored data.

Ssd 3

Medium
Confidence
98% confidence
Finding
Always saving full Merchant API responses to session-linked local files is dangerous because these responses can include sensitive merchant, warehouse, shop, or prepaid account data. The risk is amplified by deterministic local storage under the current working directory, which may be shared, indexed, backed up, or accidentally version-controlled, turning a transient API read into a broader confidentiality exposure.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.