闲鱼快速检索 Goofish Search

Security checks across malware telemetry and agentic risk

Overview

This skill automates Goofish/Xianyu shopping searches and has a disclosed but privacy-relevant habit of saving results to a desktop file.

Install only if you are comfortable letting the agent use a logged-in Goofish/Xianyu browser to search listings. Before running it, consider telling the agent not to save files automatically, or to ask before writing the Markdown results file and confirm the destination.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The skill's stated purpose is marketplace search and result presentation, but it also performs an additional local side effect by writing a Markdown file to the user's desktop. That creates an integrity and privacy risk because search terms and scraped links are persisted on disk without being clearly surfaced as an optional action requiring consent.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill instructs saving search results to a desktop file without any warning, prompt, or consent flow. Even though the content is shopping-related, the file may reveal user interests, product searches, links, and timestamps to anyone with local access, and normalized silent persistence is risky behavior for an agent skill.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal