ClawHub

ecommerce-customer-service-pro

Security checks across malware telemetry and agentic risk

Overview

This is a text-only e-commerce customer-service drafting skill, with expected order-related templates and no code execution or account access.

Safe to install based on the reviewed artifacts. When using it, request only the minimum customer information needed, use authenticated private support channels for order changes or refunds, and verify store policies before sending generated replies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This template asks customers to send an order number, which is order-linked personal data, without warning them to use an official support channel or avoid posting sensitive information in insecure contexts. In a customer-service skill, such language can normalize oversharing and increase the risk of unauthorized disclosure, impersonation, or mishandling of customer records.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Requesting an order number together with modified personal details can expose both transaction identifiers and personally identifiable information, creating a stronger risk of account takeover, fraudulent address changes, or privacy violations if used in the wrong channel. Because this skill is designed for reusable messaging, the omission of a privacy warning could propagate unsafe collection practices at scale.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The refund template requests an order number and refund reason without clarifying secure handling, which can encourage customers to disclose order-linked data in untrusted messaging contexts. In refund scenarios, attackers commonly exploit such information for social engineering, refund fraud, or unauthorized account actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This after-sales template asks for an order number plus photos/videos, which may contain packaging labels, home environments, names, phone numbers, or addresses. Without a privacy warning or minimization guidance, the skill may prompt unnecessary disclosure of sensitive personal data and create retention and handling risks for merchants or agents.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Complaint-handling language that requests order identifiers and detailed circumstances without a privacy notice can lead users to disclose personal and transactional information too broadly. In a high-emotion complaint context, users are especially likely to overshare, increasing privacy and social-engineering exposure.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal