阿里商品月销查询

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrowly scoped Taobao/Tmall sales lookup that discloses its third-party API use and shows no hidden persistence, destructive behavior, or unrelated data access.

Install this only if you are comfortable sending Taobao/Tmall item IDs to EarlyData for sales lookup. The artifacts do not show personal-data collection or local credential use, but the lookup is not fully local because it depends on a third-party API.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The skill sends user-provided product identifiers to a third-party service (mi.earlydata.com) without any explicit user-facing disclosure or consent mechanism in the code path. While the data involved is not highly sensitive by default, undisclosed transmission of user-supplied inputs to an external party is a privacy and transparency issue, especially in agent settings where users may assume local processing.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal