Back to skill

Security audit

Brand Protection Ebay

Security checks across malware telemetry and agentic risk

Overview

This skill is labeled as an eBay brand-protection tool, but its scripts generate Amazon-focused enforcement reports and legal templates, which could mislead users in a sensitive complaint workflow.

Review this carefully before installing or using it. Do not rely on its generated complaints, notices, or investigation steps for eBay VeRO matters unless you manually rewrite and verify them against eBay procedures and get appropriate legal or compliance review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The implementation and generated action plan are clearly oriented around Amazon workflows such as ASINs and Brand Registry, while the skill is presented as an eBay/VeRO toolkit. This mismatch can mislead users into taking the wrong enforcement actions, causing operational failure, incorrect legal complaints, and unsafe trust in the skill's stated purpose.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
Core data structures use Amazon-specific identifiers and concepts such as ASINs, Brand Registry, and seller models that do not match the advertised eBay context. In a security-sensitive enforcement tool, this creates a deceptive capability gap where downstream logic and user decisions are based on the wrong marketplace assumptions.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file implements Amazon Brand Registry complaint content even though the skill is advertised as an eBay brand-protection toolkit. This mismatch can mislead operators into using the wrong enforcement workflow, sending incorrect complaints, and mishandling evidence or legal escalation in a brand-protection context where procedural accuracy matters.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The cease-and-desist output is tailored to Amazon-specific enforcement while the skill claims eBay-oriented protection. In practice, this can cause users to issue inaccurate legal or compliance communications, increasing operational and legal risk through misrepresentation of platform process and policy.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The test-buy guide instructs Amazon-specific purchasing and Brand Registry reporting steps despite the skill being presented as eBay-focused. That inconsistency can lead investigators to collect the wrong evidence, use the wrong account/process, and damage the effectiveness or admissibility of enforcement actions.

Description-Behavior Mismatch

Low
Confidence
88% confidence
Finding
The MAP and complaint materials continue the Amazon-centric enforcement theme rather than the advertised eBay/VeRO functionality. While less severe than executable abuse, this is still a security-relevant integrity issue because users may rely on inaccurate enforcement guidance in a sensitive legal/compliance workflow.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.