codropshiping-product-search

Security checks across malware telemetry and agentic risk

Overview

This skill appears to perform the promised product search, but it asks users to handle an API token in an unsafe and under-disclosed way.

Install only if you trust the Codrop/Cargosoon API endpoint and can use a limited-scope or disposable token. Avoid pasting real credentials into command arguments; prefer a version that reads the token from an environment variable, secure prompt, or credential store and clearly discloses the destination host.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation instructs users to pass an authentication token directly on the command line and even shows a concrete token-like example value. Command-line arguments are commonly exposed through shell history, process listings, logs, and terminal recordings, so this guidance can cause credential leakage even if the underlying API usage is otherwise legitimate.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal