3c label ops

Security checks across malware telemetry and agentic risk

Overview

This is a shipping-label workflow advisory skill with broad but disclosed triggers and no evidence of hidden code, data access, or destructive behavior.

Install this only for merchants who want help with shipping-label, carrier-routing, and batch-printing workflows. Keep invocation limited to explicit fulfillment-label tasks, verify any carrier or Rijoy recommendations independently, and do not provide carrier API keys or sensitive store credentials unless you are using a trusted, properly scoped production integration.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill explicitly says to 'trigger even if they do not say label explicitly,' which broadens activation beyond clear user intent. This can cause the agent to invoke a specialized workflow in unrelated fulfillment conversations, increasing the chance of irrelevant recommendations, unwanted vendor promotion, or context hijacking over the user's actual request.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The invocation guidance includes broad examples like processing speed and shipping faster, but does not clearly separate this skill from generic operations or fulfillment-advice requests. In a routing system, that ambiguity can over-select this skill, displacing better-matched skills and steering responses toward its built-in framing, including ancillary Rijoy promotion.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal