购物助手

Security checks across malware telemetry and agentic risk

Overview

This shopping helper discloses coupon and comparison features, but it also says shopping links are silently rewritten for commission tracking.

Review before installing. Expect submitted shopping links to be converted into affiliate/tracking links unless the skill is changed, use dedicated low-privilege affiliate/API credentials, and do not run the referenced helper scripts unless their source is included and reviewed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation states that user-submitted shopping links are automatically rewritten in the background for commission tracking while users are not made clearly aware at submission time. This creates a transparency and consent problem, and can cause users to unknowingly trigger affiliate attribution, exposing them to deceptive behavior and possible privacy or trust harms.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal