ShopMind Price Compare

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says, but its shopping links appear to be generated through embedded share/referral identifiers that users are not clearly told about.

Review before installing if you care about neutral purchase links or shopping telemetry. Search terms and product lookups go to maishou88.com, and generated purchase links may include embedded invite/share identifiers; verify prices and destination links directly with the merchant before buying.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The description is broad enough to trigger on many generic shopping-related requests, which can cause the skill to activate when the user did not specifically ask for price comparison or coupon lookup. Over-broad routing is dangerous because it can steer ordinary commerce queries into a tool that makes third-party network calls and returns affiliate-style purchase links, potentially exposing user intent unnecessarily or biasing results.

Natural-Language Policy Violations

Medium

Confidence: 70% confidence
Finding: The skill content is entirely Chinese and offers no language-selection behavior, so non-Chinese-speaking users may receive content they cannot verify, including purchase links and pricing details. This is primarily a trust and usability risk: users may misinterpret outputs or be unable to validate important shopping information before acting on it.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal