Back to skill

Security audit

Naver Shopping Search

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Naver Shopping search helper that uses disclosed Naver API credentials and does not show hidden, destructive, or persistent behavior.

Install only if you are comfortable sending product search terms to Naver and using Naver Shopping API credentials. Prefer dedicated Naver credentials stored only in the documented skill-specific location, and review the publisher/source if provenance matters to you.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill invokes a Python script that uses environment variables, reads credential files, and makes network requests, but the skill declares no permissions for these capabilities. This creates a trust and review gap: an agent or user may invoke the skill without realizing it can access local secrets and transmit data externally, which is especially sensitive because API credentials are sourced from multiple local locations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.