Price Watcher

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward local price-watching skill that fetches user-supplied product pages and stores price history locally, with no evidence of hidden or destructive behavior.

Install this only if you are comfortable with the agent fetching the product URLs you provide and storing their names, prices, URLs, and price history in a local watchlist. Avoid internal or sensitive URLs, and review any cron or Discord webhook setup before enabling scheduled checks or external notifications.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill advertises many generic trigger phrases such as 'track price', 'watch this product', and 'let me know when it goes on sale', which can overlap with ordinary shopping or recommendation requests. In an agent environment, overly broad invocation criteria can cause the skill to activate unintentionally, leading the agent to fetch external URLs, modify local watchlist state, or produce monitoring behavior the user did not explicitly request.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal