vipshop-img-product

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill mandates checking local token files and "must fully display" the raw Python script output (including pageTokens, exchange tokens or any returned auth/cookie values), which forces the agent to include secret/token values verbatim in its output.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). High-risk: the code intentionally reads a local PASSPORT_ACCESS_TOKEN and uses it to build signed "exchange" product links (embedding the token in a Base64 payload) which — if displayed/shared or clicked by others — can enable session/token reuse or account takeover; no obfuscated payloads or remote shells were found, but this explicit credential-handling and token-embedding behavior creates a serious credential-leak/backdoor risk.