卖家之家(跨境电商)私信查询和发送

Security checks across malware telemetry and agentic risk

Overview

This skill clearly provides MJZJ private-message lookup and sending using a user-supplied API key, with no hidden code or unrelated behavior found.

Install this only if you want an agent to access MJZJ private messages and send messages from your account. Keep MJZJ_API_KEY in trusted environments, verify recipients and message text before sending, and rotate or revoke the key when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly enables querying and sending private messages, which involves highly privacy-sensitive user data and actions, but it does not require any explicit user confirmation, notice about data sensitivity, or consent flow before accessing or transmitting that data. In an agent setting, this increases the risk of unintended disclosure of chat history or accidental outbound messaging on behalf of the user.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal