Security audit

Xianyu

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only guide for publishing paid skill services on Xianyu, with no hidden execution, privileged access, or data collection behavior.

Use this as general listing advice. Keep passwords, verification codes, payment details, and identity verification inside official Xianyu/Taobao/Alipay apps, and redact names, phone numbers, addresses, QR codes, account IDs, order numbers, client data, and private chat content before uploading examples or dispute evidence.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill recommends uploading screenshots,成果展示,资质证明, and preserving chat records, but it never warns users to redact personal or sensitive information before sharing. In this marketplace context, that omission can lead to accidental exposure of phone numbers, IDs, account details, client data, or private conversations in public listings or dispute evidence.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.