Alibaba Store Analysis

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-built for Alibaba store reporting, but it should be reviewed because it automatically uses a logged-in Alibaba browser session to read broad private business report data.

Review before installing. Use it only if you are comfortable letting an agent read private Alibaba International Station business reports from the currently logged-in account. Prefer a limited browser profile or limited account, confirm each fetch explicitly, and avoid running it against accounts containing data you do not want exposed in the agent session.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill performs authenticated requests against Alibaba account endpoints and retrieves store-specific business data using the user's existing browser session, but it does not require explicit informed consent or provide a clear warning before accessing potentially sensitive account information. In an agent context, silent access to authenticated business analytics can expose confidential commercial data to the user interface or downstream processing without the user fully realizing what will be accessed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal