Back to skill

Security audit

Shopee Store Public

Security checks across malware telemetry and agentic risk

Overview

This Shopee API skill is broadly coherent, but it handles OAuth/token flows while saving and sometimes printing full unredacted responses by default.

Install only if you are comfortable with LinkFox handling Shopee token/proxy traffic and with raw API responses being saved locally. Avoid using --inline for token endpoints, treat saved JSON files as secrets, delete them when no longer needed, and prefer a version that redacts token fields or disables full-response persistence by default.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and instructs use of shell, network, environment-variable access, and file-write behavior, but no explicit permission declaration is present. This creates a transparency and governance gap: operators may invoke a capability-rich skill without understanding that it can write data locally, read session context, and make outbound requests, increasing the chance of unsafe use and poor policy enforcement.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented purpose says the skill proxies six Shopee Public endpoints, but the observed behavior expands to dependency probing, token resolution through another endpoint, and persistent local storage of responses. This mismatch is dangerous because users and reviewers may consent to a narrow API proxy while the implementation also discovers local resources and handles credentials/tokens in ways not clearly disclosed.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The module description suggests a shared helper for public API proxying, but it also resolves store token data and supports broad response persistence. That scope expansion increases the chance that sensitive token-related material is accessed and later exposed through logging or local storage, which is riskier than the stated public-API helper purpose implies.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The module persistently writes full API responses to local filesystem paths under predictable workspace directories, regardless of whether the responses may contain access tokens, shop identifiers, merchant identifiers, or other sensitive data. In a skill that brokers OAuth token exchange and developerProxy traffic, broad archival materially increases exposure through local compromise, multi-user hosts, backups, or later accidental disclosure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation warns about cost and file writes but omits a clear warning that OAuth exchanges and token refresh operations can transmit, return, and expose sensitive credentials or access tokens. In a token-handling skill, missing sensitivity guidance materially increases the risk that users will print, store, or share secrets insecurely.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill requires always saving full API responses to session-scoped files and sometimes printing full JSON to stdout; for OAuth/token endpoints, those responses may include access tokens, refresh tokens, or other sensitive identifiers. Persisting and echoing secrets in plaintext expands exposure to local users, logs, downstream tooling, and future prompt context, making credential compromise significantly more likely.

Ssd 3

Medium
Confidence
98% confidence
Finding
emit_result() prints full serialized responses for small outputs and writes full responses to disk for all outputs, which can expose OAuth tokens, merchant/shop identifiers, API errors, and user-supplied payloads in plaintext. Given this skill explicitly handles token exchange and proxy calls to Shopee APIs, these logging and display flows create a direct sensitive-data disclosure risk.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.