Amazon Orders

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent guide for using an unofficial Amazon order-history tool, but it requires sensitive Amazon login and MFA secret handling that users should treat carefully.

Install only if you trust the upstream amazon-orders package and are comfortable giving an unofficial tool Amazon sign-in capability. Prefer an isolated environment, consider pinning the package version, avoid persistent shell exports or dotfile storage for credentials, use a secret manager for any automation, and protect exported order-history files because they may contain private purchase data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill documentation instructs users to provide highly sensitive Amazon credentials and an OTP/TOTP secret via environment variables, but it does not include a clear security warning about the risks of storing long-lived account secrets or the sensitivity of exported order history. Because this skill accesses a consumer retail account and purchase history through an unofficial scraper, compromise of these secrets could enable account takeover or exposure of private purchase data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal