jd-daoda

Security checks across malware telemetry and agentic risk

Overview

This appears to be a delivery-assistance skill with no evidence of hidden code, persistence, credential use, or data exfiltration, but users should be careful with medicine-related requests.

Install only if you want a JD Daojia/local-delivery assistant. For medicine delivery, do not treat it as medical advice or emergency care; verify prescription requirements and consult a pharmacist or clinician when needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger conditions are broad enough that ordinary user phrases about local delivery, groceries, or medicine could activate the skill unintentionally. This can cause incorrect routing, confusing responses, and, in the medicine context, inappropriate handling of sensitive health-related requests without clear user intent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill advertises urgent medicine delivery and prescription-drug handling but does not include safety, compliance, or eligibility guidance. In practice, this could mislead users about prescription requirements, proper medical consultation, or emergency situations, increasing the risk of unsafe medication use or regulatory non-compliance.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal