ClawHub

Alibaba Supplier Outreach

Security checks across malware telemetry and agentic risk

Overview

This skill automates Alibaba supplier outreach and stores negotiation notes locally, and those behaviors fit its stated purpose with user approval required before sending messages.

Install only if you are comfortable letting the agent use your logged-in Alibaba session, read supplier conversations, send only messages you approve, and keep local plaintext negotiation logs under ~/.claude/supplier-conversations. Delete those files when no longer needed if the supplier data is sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill persists supplier negotiations and business context to local files under ~/.claude without any explicit user notice or consent. This creates a confidentiality risk because supplier identities, pricing targets, negotiation history, and potentially personal/company identifiers are stored on disk and may be accessed later by other tools, users, or processes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill reads Alibaba message threads, extracts supplier replies, pricing, lead times, and questions, and uses that content to drive decisions without a privacy warning or explicit consent flow. Because message centers often contain commercially sensitive negotiations and personal contact details, silently ingesting and summarizing this content increases the risk of unauthorized handling or over-collection of private business data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal