Takeout Coupon 外卖优惠券隐藏券大额券，美团、京东、闪购/饿了么

Security checks across malware telemetry and agentic risk

Overview

This is a coupon lookup skill that openly uses a third-party coupon API and does not show hidden persistence, credential access, or destructive behavior.

Install this if you want an agent to fetch takeout coupon data from the disclosed third-party API. Treat returned coupon codes, QR images, and redemption pages as external promotional content, and do not enter sensitive account or payment information unless you independently trust the destination.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger conditions are broad enough to activate on generic coupon-related queries, which can cause unexpected invocation and unsolicited outbound requests to the third-party coupon API. While not directly malicious, overbroad routing increases privacy and consent risk because users may not realize their request will be sent to an external service.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to call a third-party API but does not clearly tell users, at point of use, that their request may result in outbound network access to a non-platform domain. This creates a transparency and consent issue, especially when the skill may be auto-invoked from broad user prompts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal