Taobao Product Research

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Taobao research scraper that saves reports locally, with session-persistence and file-output risks users should understand.

Install only if you are comfortable logging into Taobao in a skill-managed browser profile. Use a dedicated output directory, avoid search keywords containing path separators, inspect npm dependencies in sensitive environments, and delete browser_data when you no longer need the saved session.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs users to log into Taobao and notes that login state will be saved in a local `browser_data` directory, but the warning is buried in operational steps rather than clearly surfaced as a privacy and credential-handling risk. Persisted browser profiles can contain session cookies and other sensitive state; if stored insecurely or reused unintentionally, they may enable account misuse or leakage.

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The skill advertises image collection and Excel output, but it does not clearly warn users that it will download images and create local directories/files on disk. This can surprise users, consume storage, and leave behind scraped content or artifacts in sensitive environments where local file creation is restricted or monitored.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal