Supermarket Offer Watcher

Security checks across malware telemetry and agentic risk

Overview

This is a coherent grocery deal watcher, but it stores location and shopping preferences locally and may run scheduled web searches if enabled.

Install only if you are comfortable saving an approximate home location and grocery watchlist in the workspace. Use a coarse location when possible, avoid sensitive notes, review or delete `/data/workspace/data/supermarkt-watchlist.json` when no longer needed, and enable daily or weekly cron alerts only intentionally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill instructs reading and writing a persistent watchlist file under /data/workspace/data, but the metadata does not declare permissions or clearly surface those capabilities. Undeclared persistence is dangerous because users and platforms cannot accurately assess what local data the skill can store or access, especially when that data includes location and shopping preferences.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 83% confidence
Finding: The documented behavior promises automated nearby deal checking, scheduling, alerts, and radius-based monitoring, but the analyzed skill file only contains instructions and setup guidance without implementing or declaring those capabilities. This mismatch is security-relevant because it can mislead users and reviewers about what the skill actually does, obscure missing controls, and create unsafe assumptions about automation and notifications.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill stores precise home location, product preferences, schedule, and timezone in a local file and plans recurring web searches, yet provides no prominent privacy warning or consent language about local retention and outbound queries. This is sensitive behavioral and location data; if mishandled or unexpectedly transmitted, it can reveal where the user lives, when they are active, and what they buy.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal