Back to skill

Security audit

淘宝/京东/拼多多/全网商品检索比价

Security checks across malware telemetry and agentic risk

Overview

This shopping price-comparison skill mostly does what it says, but it generates purchase/share links with embedded service identifiers that are not clearly disclosed to users.

Review before installing. Use it only if you are comfortable sending shopping searches and selected product identifiers to maishou88.com, and treat returned purchase links as potentially share/referral-attributed. Verify seller, price, and destination before buying.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The Chinese triggers include broad everyday phrases such as '帮我找' and '帮我查一下' that can activate the skill outside a clear shopping context. Unintended activation can cause unnecessary external searches, disclosure of user query content to third parties, and confusion about why the skill ran.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The English triggers like 'where to buy', 'best deal', and 'search product' are generic and likely to match many unrelated requests. In this skill, accidental activation is more concerning because activation leads to external product lookups and possible transmission of user-provided terms to a third-party service.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly instructs retrieving purchase links through an external service but does not clearly warn users that their search keywords and selected product identifiers will be transmitted off-platform. This lack of disclosure undermines informed consent and can expose user shopping intent or sensitive product queries to a third party.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.