ClawHub

alphashop-text

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward AlphaShop text API wrapper, with clear cautions around third-party API use and configured credentials.

Install only if you intend to use AlphaShop for these text-processing tasks. Configure least-privilege AlphaShop keys through OpenClaw settings, avoid submitting secrets or confidential product data unless sharing it with AlphaShop is approved, and expect calls to use AlphaShop account credits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly requires environment secrets (`ALPHASHOP_ACCESS_KEY`, `ALPHASHOP_SECRET_KEY`) and performs outbound API calls, yet the manifest does not declare corresponding permissions. This creates a permission-transparency gap: users or platforms cannot accurately assess that the skill accesses sensitive credentials and the network before use.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to place AlphaShop access keys in configuration but does not clearly disclose that the skill will use those credentials to authenticate to an external third-party service. This creates a consent and transparency problem: users may provide sensitive API secrets without understanding where they are sent, how they are used, or what trust boundary they are crossing.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrases are very broad (e.g. generic translation, title generation, and multilingual text requests), which can cause the skill to activate in contexts beyond the user's intent. Because the skill uses API-backed processing and requires secrets/network access, overbroad activation increases the chance of unnecessary data disclosure to a third-party service or unintended execution.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal