Scavio Amazon

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Amazon lookup helper that sends user-directed product searches to Scavio using a user-provided API key.

Install only if you are comfortable sharing Amazon searches, ASINs, and any ZIP code you provide with Scavio. Keep the Scavio API key private, prefer a revocable key, monitor usage, and avoid sending ZIP codes unless localized pricing is needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly supports a `zip_code` parameter that can transmit user location data to Scavio's external API, but the documentation does not warn users that this field may contain sensitive location information or that it leaves the local environment. This creates a privacy and informed-consent issue, especially when an agent may forward user-provided ZIP codes automatically.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill describes Amazon search and product lookup behavior without clearly warning that user queries and ASINs are transmitted to an external third-party service (`api.scavio.dev`). This omission can mislead users and agent developers about data flow, creating privacy and compliance risks when potentially sensitive shopping interests are sent off-platform.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal