Taobao Live

Security checks across malware telemetry and agentic risk

Overview

This is a text-only Taobao livestream operations guide, with some marketing-compliance risks but no hidden code or system access.

Installing this skill is technically low risk, but users should review and rewrite the sample livestream scripts before use. Avoid absolute claims like lowest price, fake scarcity, unverifiable inventory pressure, or unsupported discount claims, and ensure all prices, stock limits, testimonials, and promotions are truthful and platform-compliant.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The skill explicitly includes the phrase “全网最低没有之一” in a sample retention script while later stating that absolute claims are prohibited. This contradiction can directly induce users to generate non-compliant marketing content, creating legal, platform-enforcement, and account-penalty risk through misleading advertising claims.

Intent-Code Divergence

Medium

Confidence: 85% confidence
Finding: The sales script encourages urgency through statements like ‘人数够了我去找品牌方砍价’ and staged inventory/price pressure, which can become deceptive if not true in the actual sales process. In a live-commerce skill, this is more dangerous because operators may reuse the script verbatim at scale, leading to misleading pricing claims, fake scarcity, or other prohibited promotional behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal