Back to skill

Security audit

Skill Dropshipping Product Launcher

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: use CJ Dropshipping and WooCommerce credentials to create draft product listings, with no evidence of hidden or unrelated behavior.

Install only if you intend to let this skill access your CJ Dropshipping and WooCommerce APIs. Run --dry-run first, verify the store URL and product details, use staging or limited-scope credentials when possible, and keep the credential JSON files out of shared folders, logs, and repositories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill immediately frames itself as a one-command launcher that fetches data and creates a WooCommerce draft listing, but it does not prominently warn that the default action performs real external writes, including image uploads and product creation, unless --dry-run is used. This increases the risk of unintended changes to a production store by a user or agent who assumes the command is informational or low-impact.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation identifies exact local paths for files containing API tokens and WooCommerce credentials but does not include any warning about treating them as sensitive secrets. In an agent or shared workstation context, this normalizes insecure handling of high-value credentials and can lead to accidental exposure, misuse, or inclusion in logs, backups, or repositories.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/cj-fetch.js:10

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/launch.js:20

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/woo-create.js:11

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/woo-create.js:20