Slickdeals

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed shopping/deal-search skill that uses web lookups for Slickdeals and possible retailer price checks, with no evidence of hidden persistence, credential access, or destructive behavior.

Reasonable to install for deal hunting. Expect your shopping search terms to be sent to Slickdeals and possibly retailer sites during price or availability checks; avoid entering sensitive personal information, and verify availability before purchasing because deals can expire quickly.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The manifest scopes the skill to searching Slickdeals, but the notes instruct the agent to supplement results with general web search and current retail pricing from Amazon, Best Buy, and other sites. This scope expansion is dangerous because it silently broadens data exposure, increases the number of external destinations contacted, and can cause the agent to act outside user and reviewer expectations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal