ClawHub

电商爆款拆解分析助手

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed e-commerce research helper that searches public shopping information and creates a local interactive HTML report, with no evidence of hidden exfiltration or destructive behavior.

Install if you want an agent to perform web searches about product categories and create a local HTML analysis report. Be aware that it may run for broad market-analysis prompts, and generated reports load Chart.js from jsDelivr unless modified to be fully self-contained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad enough to match ordinary shopping or market-research requests, which can cause the skill to activate unexpectedly. Because the skill has WebSearch, WebFetch, Bash, Write, and Edit permissions, accidental invocation can lead to unnecessary external requests and local file creation without clear user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill generates and writes an HTML report, but the user-facing description does not clearly disclose this side effect. Users may believe they are receiving only conversational analysis, while the agent creates a file artifact that could persist locally or be opened later with active content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Requiring Chart.js from a CDN introduces an external network dependency that is not disclosed to the user. Opening the generated report may contact third-party infrastructure, leaking metadata such as IP address, user agent, access time, and possibly contextual information about the report usage.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal