Security audit

Mercadona Products API

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Mercadona product API skill, with an optional receipt-scanning feature that can share receipt data externally.

Use the product and nutrition lookup features normally. Before using receipt scanning, assume uploaded receipt images, PDFs, or receipt URLs are sent to mercaapi.sgn.space and processed by an external AI service; avoid submitting receipts with payment details or personal information unless that exposure is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill documents a receipt-upload endpoint that accepts either direct file uploads or a remote URL, but provides no warning that receipts commonly contain sensitive personal and financial data such as store location, purchase history, timestamps, and possibly payment details. In an agent context, this omission can lead users or downstream agents to transmit private documents to a third-party AI-backed service without informed consent or data-minimization safeguards.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal