Security audit

Kleinanzeigen.de Helper

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent for drafting Kleinanzeigen listings, but it asks the assistant to handle your account password and SMS code.

Review before installing. Use it only if you are comfortable with an assistant operating inside your Kleinanzeigen account, and prefer logging in yourself in the browser instead of giving the assistant your password or SMS code. Check the draft, photos, price, location, shipping settings, and rights to any images before publishing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill explicitly directs the agent to collect the user's kleinanzeigen.de email, password, and SMS code, enabling full account access rather than limiting the agent to drafting content. This materially expands the agent's privileges, creates credential-handling and 2FA interception risk, and could allow unauthorized account actions beyond preparing a listing draft.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger condition includes activation whenever 'kleinanzeigen' is mentioned, which can invoke the skill during casual discussion rather than a clear intent to create or manage a sales listing. Overbroad activation increases the chance the agent will begin collecting sensitive sales, location, or account-related information in the wrong context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal