Etsy Autolist

Security checks across malware telemetry and agentic risk

Overview

This skill can use your Etsy credentials to create fixed draft listings in your shop, while its description overstates a broader listing-from-files workflow.

Install only if you specifically want these three draft Etsy listings created in your shop. Treat the Etsy client secret and access token as account credentials, review Etsy API scopes before use, and be prepared to delete unwanted draft listings manually.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill declares no permissions while its documented behavior clearly requires environment secret access and outbound network access to Etsy APIs. This mismatch is dangerous because it prevents users and policy systems from accurately understanding the skill's capabilities, reducing informed consent and making abuse or overreach harder to detect.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The skill claims to create/manage Etsy listings from existing digital files, but the documented behavior indicates it instead creates specific hardcoded finance/crypto/trading listings and omits key promised functionality. This is dangerous because users may grant Etsy credentials expecting a general listing tool, while the skill can perform unintended account actions that create misleading or policy-sensitive storefront content.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The skill instructs users to store Etsy client credentials and obtain an OAuth access token without clearly warning that these secrets can grant access to shop operations. In the context of an e-commerce account, missing secret-handling guidance increases the chance of accidental exposure, unsafe sharing, or use of over-privileged tokens.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal