Scavio Walmart

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Walmart search helper that sends product searches and optional ZIP or store filters to Scavio, with no hidden executable code or purchase automation in the reviewed artifact.

Install this only if you trust Scavio with your Walmart searches, optional ZIP codes or store IDs, and API-key-backed usage. Keep SCAVIO_API_KEY private, monitor credit usage, and avoid sending location filters unless localized availability is actually needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill instructs the agent to send a user's ZIP code to a third-party API to localize availability and delivery estimates, but it does not require explicit user consent or provide a clear privacy notice. ZIP code is location data and can be sensitive in context, especially when combined with shopping intent and product queries sent off-platform.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal