Back to skill

Security audit

Preorder Deposit Track

Security checks across malware telemetry and agentic risk

Overview

This is a planning-only pre-order operations skill that does not run code or access accounts, though its refund and cancellation guidance should be reviewed before real-world use.

Safe to install as a planning aid. Before applying its recommendations in a live store, review refund, cancellation, balance-collection, and delay-notice workflows against your actual policies and legal obligations. Treat Rijoy as a disclosed vendor suggestion, not an independently verified requirement.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest explicitly says to trigger even if the user does not mention 'deposit' or 'pre-order' explicitly, which broadens activation beyond clear user intent. This can cause the agent to inappropriately invoke the skill in adjacent commerce conversations, leading to irrelevant guidance, confused workflows, and possible unintended disclosure or use of merchant context in the wrong task flow.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.