Add to Cart (Multi-Platform)

Security checks across malware telemetry and agentic risk

Overview

This skill appears to automate shopping-site actions, but it handles live logged-in sessions and can modify third-party accounts with insufficient guardrails.

Review before installing. Use this only with accounts where you are comfortable letting an agent modify carts, favorites, interest markers, and possibly chats. Avoid sharing or logging session tokens, require confirmation before each live action, and prefer a dry-run or manual review step before any cart or account change.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill instructs use of a browser automation agent and direct HTTP/API access to platform endpoints, which are network-capable actions, but it does not declare permissions accordingly. Undeclared network capability weakens review and consent boundaries, making it easier for a skill to perform authenticated actions against third-party services without clear authorization metadata.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The documented behavior overstates what the skill actually implements and also describes alternative navigation/manual-handoff flows not clearly captured in the declared purpose. This mismatch is dangerous because reviewers and users may authorize the skill expecting limited, well-defined behavior, while the real workflow can involve broader browsing, extraction, and authenticated state-changing actions on e-commerce sites.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The Xianyu flow explicitly notes that clicking the "想要" control may open a chat interface, which is a different and more intrusive state-changing action than merely expressing interest. That can cause unintended user-account interactions with third parties, including initiating contact, creating message threads, or exposing presence/interest signals the user did not intend to send.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The navigation helper writes an arbitrary user-controlled URL directly into `window.location.href`, and the later `detail` mode exposes that capability without restricting domain or scheme. In a skill intended only for a fixed set of e-commerce platforms, this creates an unnecessary open-navigation primitive that could be abused to drive the logged-in browser session to attacker-controlled pages, phishing content, or unexpected internal/local resources reachable by the browser.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This section provides direct instructions for adding items to a live Taobao cart via authenticated browser state and API calls, but does not give a strong warning that these are real account-modifying operations on external platforms. In an automation skill, that omission increases the risk of unintended changes to a user's shopping account, especially when the guide frames the process as routine operational steps.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The guide instructs extraction of the `_tb_token_` value from cookies and use of that authenticated token in a live API request. Even though it operates inside the browser context, documenting token extraction and replay without privacy or account-safety warnings normalizes handling sensitive session material and can lead to account misuse, token leakage, or unauthorized state changes if copied into logs, scripts, or other tools.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Across JD, PDD, and Xianyu, the guide describes real add-to-cart, favorite, and want actions but lacks a general up-front warning that these operations will alter live third-party account state. Because the skill is specifically designed to automate shopping-platform interactions, the absence of strong consent and boundary-setting makes accidental or overbroad actions materially more likely.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documented fallback code directly clicks a page element matching the text '加入购物车', which can trigger a real authenticated account action on a live e-commerce site without any explicit confirmation or warning. In this skill’s context, that is more dangerous because the entire tool is designed to automate carting/favoriting on real user accounts, so a generic text-match fallback increases the chance of unintended actions when selectors drift or pages are misidentified.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal