Skills
skills/zimins/coupang-skill/coupang-shopping/Gen Agent Trust Hub

coupang-shopping

Fail

Audited by Gen Agent Trust Hub on Mar 14, 2026

Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill instructions require the agent to store highly sensitive credentials in a plain-text file on the local disk.
  • Evidence: Instructions direct the creation of ~/.coupang-session/credentials.json containing email, password, and paymentPin.
  • [COMMAND_EXECUTION]: User-provided product names and search terms are directly interpolated into shell commands, which can lead to command injection if a user provides malicious input.
  • Evidence: The prompt templates for the sub-agent include npx coupang-cli search "[사용자 요청]" and npx coupang-cli order-now "상품명" where variables are enclosed in quotes but not sanitized for shell metacharacters.
  • [EXTERNAL_DOWNLOADS]: The skill automatically installs external software packages and browser binaries during initialization.
  • Evidence: Use of npm install -g coupang-cli and npx playwright install firefox to set up the environment.
  • [DATA_EXFILTRATION]: The skill captures and processes sensitive screen data, including keypad images that contain numerical mapping for secure PIN entry.
  • Evidence: The "주문 시 키패드 처리 절차" involves taking 10 screenshots of the keypad (pad-key-0.png to 9.png), reading them, and creating a mapping file.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 14, 2026, 06:21 PM