online-shopping-discount

Security checks across malware telemetry and agentic risk

Overview

This shopping skill mostly does what it says, but it can register with an external service using a persistent device identifier and reuse cached credential-linked IDs without clear consent.

Review carefully before installing. The shopping features are coherent, but the current version may send your shopping queries, generated link requests, a cached credential-derived ID, and possibly your device UUID to the configured service. If used, provide a custom username, avoid sensitive searches, clear scripts/.credential_cache when finished, and prefer a version that removes hardware identifier collection and separates credentials from user IDs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The README documents that the registration script will automatically collect a machine-specific device UUID and use it as the default username. For a shopping discount/search capability, persistent hardware-derived identification is not necessary for the stated function and creates unnecessary device fingerprinting and privacy risk, especially if sent to a remote service or stored in cache/logs.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The script collects a stable device identifier from the host and uses it in a registration flow to obtain access credentials from a remote service. For a shopping-discount skill, device fingerprinting and account/bootstrap credential acquisition are unnecessary to the stated functionality and create a privacy-sensitive tracking mechanism plus unauthorized expansion of capability.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The code reads machine-unique identifiers such as product_uuid or machine-id and sends that value as the username to the remote endpoint. This enables persistent cross-session host tracking and exfiltrates sensitive device identity data without any clear need for coupon search/comparison behavior.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The script stores remote-issued credentials in a local cache file and reuses them automatically, effectively implementing account/session management beyond the declared shopping-assistance scope. While the file permissions are restricted, persistence of credentials increases the blast radius of compromise and creates opaque background authentication behavior.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The script defaults `user_id` to the raw credential value (`local user_value="${USER_ID:-$CREDENTIAL}"`) and sends it as a query parameter in the request. This unnecessarily repurposes secret material as an identifier, increasing exposure through outbound requests, server logs, proxies, analytics, and debugging systems without any functional need shown in the script.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documentation instructs the agent to automatically obtain, cache, refresh, and reuse credentials across sessions, and even suggests inspecting the cached credential file. This creates unnecessary exposure of authentication material, increases the chance of credential leakage between users or sessions, and normalizes passing sensitive tokens on command lines where they may be logged or exposed to other local processes.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The trigger keywords are overly broad, including common words like '买', '购物', 'buy', and 'shopping', which increases the chance of accidental activation. Because this skill performs registration, credential handling, remote queries, and link generation, unintended triggering can cause unnecessary network actions and disclosure of user intent or host-linked identifiers.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script sends a credential-derived identifier (`user_id`, defaulting to `CREDENTIAL`) to a remote API endpoint, and the endpoint is configurable via environment variable. Although the default URL is HTTPS, the script does not enforce HTTPS or provide any disclosure/consent before transmitting identifier-linked data off-host, so a misconfigured `SHOPPING_API_ENDPOINT` could send sensitive tracking data over cleartext HTTP or to an unexpected service.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The registration request sends the username, password, and potentially a device UUID to a remote endpoint, but the script provides no explicit privacy disclosure or informed consent step. In this skill context, silent transmission of host identity and newly created credentials is disproportionate and could support user/device tracking or unexpected account creation.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The credential is transmitted over the network as `user_id` with no explicit warning, consent, or indication to the caller that a secret may be embedded in request parameters. Because the script uses a GET request with URL-encoded query parameters, the value is especially likely to be retained in logs and monitoring infrastructure, compounding the leakage risk.

VirusTotal

46/46 vendors flagged this skill as clean.

View on VirusTotal