Back to skill

Security audit

Shopee Store Push

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly purpose-aligned for Shopee Push administration, but it always saves full API responses locally and the code can write them outside the documented project path.

Install only if you are comfortable with a skill that can change Shopee Push settings and confirm lost-message consumption through LinkFox. Treat saved files under linkfox directories as potentially sensitive, check where they are written, avoid committing them, and delete or protect response files after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises operational capabilities including environment-variable access, file writes, network calls, and shell execution, but does not declare permissions or present clear guardrails. This creates a transparency and control gap: an invoking agent or user may not realize the skill can persist data locally, use session-scoped identifiers, and call remote endpoints, increasing the chance of unintended data exposure or unsafe execution.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The helper persistently writes full API responses to local disk under linkfox/.../data, and those responses may contain access tokens, shop identifiers, webhook configuration, or other sensitive business data returned by storeTokens or developerProxy. For a skill whose described purpose is API proxying for Shopee Push configuration, undisclosed local persistence materially expands data exposure beyond what is necessary.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger condition is overly broad and explicitly says the skill should fire even when the user does not mention Push, as long as the topic is only loosely related to Shopee platform configuration or message management. Over-broad invocation can cause the wrong skill to activate, leading to unintended API operations, unnecessary exposure of credentials or business data, and user confusion about what tool is acting on their request.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that full API responses are always written to project files, with optional full stdout output, but does not require an explicit warning or consent flow for persistence of potentially sensitive webhook configuration, identifiers, message payloads, or account metadata. Persisting complete responses by default increases the risk of secrets or sensitive operational data being retained in the workspace, committed to source control, or accessed by other tools and users.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The helper saves full API responses to disk and may also print them inline, but there is no user-facing warning, consent mechanism, or disclosure that sensitive response contents will be retained locally. This creates a confidentiality risk, especially because push-related API responses can include operational configuration or account-linked data.

Ssd 3

Medium
Confidence
97% confidence
Finding
emit_result() serializes and may print entire result objects, creating a semantic data leak if upstream API responses include tokens, webhook URLs, identifiers, or error payloads with sensitive context. Because this is a shared helper used across push-related entry points, the leak risk propagates broadly across the skill’s operations.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.