ClawHub

trendyol-admin

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate-looking Trendyol API reference, but it enables broad production marketplace changes with real seller credentials and does not define enough safety controls.

Install only if you intend to let an agent help administer a Trendyol seller account. Use staging or limited credentials where possible, never paste secrets into public chats or logs, redact Authorization headers, and require explicit confirmation before deleting products, changing prices or stock, updating orders or returns, sending invoices, answering customers, or modifying webhooks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The document embeds live Postman collection URLs containing access_key query parameters, which are credential-like tokens for a third-party service. Even in a reference file, publishing reusable bearer-style links can enable unauthorized access, copying of collections, unintended external transmission, or token abuse beyond the skill's core purpose.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs an agent to construct Basic Auth credentials and execute live production API requests, but it provides no safeguards around secret handling, redaction, confirmation prompts, or production-change risk. In an agent context, this can lead to accidental credential exposure in logs or prompts and unintended destructive actions against a real marketplace account.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal