Security audit

商业捡漏预警虾

Security checks across malware telemetry and agentic risk

Overview

This deal-monitoring skill is not clearly malicious, but it needs review because it encourages recurring marketplace scraping, local retention of listing data, collection of contact details, and anti-bot or login-state collection techniques without enough privacy and control guidance.

Install only if you are comfortable with a scraping-style monitoring skill. Before using it with real collectors, confirm the target platform permits automation, avoid using logged-in sessions unless you have clear authorization, decide whether contact details should be collected at all, and keep the data directory and any cron jobs easy to inspect and delete.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The document explicitly instructs collection and storage of personal contact information from scraped listings, but provides no privacy notice, lawful-basis guidance, retention limits, or access controls. In a multi-platform scraping skill focused on commercial advantage, this increases the risk of unauthorized personal data handling, privacy violations, and downstream misuse of seller or publisher contact details.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.