Back to skill

Security audit

Convbox Ecommerce Skills

Security checks across malware telemetry and agentic risk

Overview

This skill is a read-only Convbox ecommerce analytics assistant that uses a user-provided API key and saved store context to produce reports and recommendations.

Install only if you trust Convbox/RTOAI with the store tied to your CONVBOX_API_KEY. Treat reports as advisory, review any budget or campaign recommendations before acting, and avoid sharing raw API responses, account IDs, or store benchmarks outside your organization.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares access to environment variables, file reads, and network-like behavior through its instructions, but does not declare corresponding permissions. This creates a transparency and governance gap: users or hosting platforms may not realize the skill can read memory, use the API key from the environment, and make external API requests. In a skill that handles store data and credentials-adjacent configuration, undeclared capabilities increase the risk of over-privileged execution and weak review controls.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The public description presents the skill as an ecommerce analysis/reporting assistant, but the instructions also route into a configuration-health utility that validates API-key presence, probes endpoints, and performs schema/connectivity checks. That mismatch can cause operators to approve or invoke the skill under a narrower trust model than its actual behavior, leading to unexpected external requests and broader operational access. Security review depends heavily on accurate descriptions, so hidden operational behavior materially increases risk.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The skill states that it does not call tools or other skills, yet elsewhere instructs the agent to call a utility skill for configuration checks. This contradiction undermines policy boundaries and reviewer assumptions, making it easier for hidden call chains to be introduced or overlooked. In practice, that can expand data access and execution scope beyond what users and scanners expect.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The routing examples include broad, natural phrases such as 'anything wrong with my campaigns' and 'what's off today', which can cause the skill to be invoked when the user did not clearly request this specific analysis. In an agentic system, overly permissive routing increases the chance of unintended data access, incorrect workflow selection, and confusing or misleading outputs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The plan explicitly instructs the agent to persist shop-level thresholds to memory without requiring a clear user-facing notice, consent step, or retention boundary. Even though the data is not highly sensitive on its face, persistent storage of business-specific baselines can create privacy, tenancy, and expectation risks if users are unaware the values will be retained and reused later.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
access.yaml:9