Back to skill

Security audit

YiMa StarEngine

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent marketing and commerce analytics assistant, with a disclosed but under-documented local cache behavior users should understand before use.

Before installing, confirm where the skill or its companion CLI stores cached 巨量百应 data, how long order and commission data is retained, who can read it on shared machines, and how to clear it. Use it only in an environment approved for sensitive campaign, sales, and settlement data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly advertises direct access to core platform APIs and automatic fallback to local caching, but provides no warning about what business or user data may be cached, how long it is retained, or how it is protected. In a tool handling order flows, commission settlement, and influencer data, undocumented local caching can expose sensitive commercial or personal data through disk persistence, shared environments, or unintended reuse.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.