Back to skill

Security audit

Skill Product

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed product-description helper that uses a YunlvAI API key, with caution around broad triggers and locally saved outputs.

Install only if you intend to use YunlvAI TradeGPT for product-content generation. Use a dedicated API key where possible, avoid submitting confidential unreleased product or competitor information unless you trust the provider, check the local ./data/yunlv-skills/productDesc/ folder for saved outputs, and fact-check certifications, customs descriptions, SEO claims, and competitor comparisons before publishing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger list includes broad terms such as 'SEO' and '差异化' that can match many ordinary conversations unrelated to this skill. Over-broad activation can cause the agent to invoke this skill unexpectedly, sending unrelated user content to the external TradeGPT API or producing unwanted file writes/logging, which expands data exposure beyond user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill states that generated content and logs may be written under './data/yunlv-skills/productDesc/' but the main usage flow does not clearly warn users that their product data and outputs may be stored locally. Because the skill handles potentially sensitive business information such as technical parameters, competitor comparisons, and SEO strategy, silent persistence increases confidentiality and retention risk.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes broad, common terms such as "SEO", "产品详情", and "product description" that can match many ordinary writing or marketing requests outside the skill’s narrow intended scope. This can cause the agent to invoke the skill too aggressively, routing unrelated user prompts to an external API and increasing the chance of unnecessary data exposure or incorrect task handling.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.