Back to skill

Security audit

checkers-sixty60

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be genuine Checkers Sixty60 shopping automation, but it can affect a live shopping account and cart without enough scoping or user-impact warnings.

Review this before installing if you use a real Checkers/Sixty60 account. Only invoke it when you explicitly want Checkers/Sixty60, and require confirmation before cart changes, delivery choices, checkout, payment, or order submission. I found no evidence of hidden malware, persistence, or data exfiltration in the supplied scan evidence.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation text is broad enough to match generic grocery-shopping requests, which can cause the agent to invoke this specific retailer automation in situations where the user did not clearly ask for Checkers/Sixty60. In a purchasing skill, over-broad routing increases the risk of unintended account actions, basket modifications, and retailer-specific browsing under the wrong context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill enables real shopping actions that can affect funds, orders, addresses, and account data, but it does not prominently warn that actions may trigger real purchases or modify a live cart. In this context, omission of a purchase/account-impact warning is dangerous because browser automation can quickly translate ambiguous user intent into real-world financial and privacy consequences.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.