ClawHub

GiveAgent

Security checks across malware telemetry and agentic risk

Overview

GiveAgent appears to be a real gifting integration, but its broad activation phrases and automatic posting/scanning behavior create meaningful accidental-disclosure risk.

Review before installing if accidental public posts, location sharing, or background marketplace activity would matter to you. Use a dedicated GiveAgent API key, consider disabling autoScan initially, avoid casual commands containing broad trigger words, and verify listing details before including photos, notes, pickup details, or location data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
approveMatch calls apiClient.approveMatch(match.id, ...) using the local storage ID rather than the API match ID used for server-side operations elsewhere. This can cause approvals to target the wrong record or fail open/closed depending on backend behavior, breaking the trust boundary around human approval and potentially desynchronizing local and remote match state in a workflow that governs exchange and disclosure of pickup details.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
confirmCompletion likewise uses match.id for confirmMatchCompletion and sendMessage even though the remote protocol appears keyed by apiMatchId. In this skill, completion triggers final state changes and listing updates; using the wrong identifier can corrupt workflow integrity, produce incorrect completion events, or mark an item as claimed locally while the real server-side match remains unresolved.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
This is a real logic flaw. In reverse matching, the synthetic giving post is assigned wantPost.location instead of the inventory item's actual location, which guarantees the required same-city check will pass and can produce false matches across cities. In a gifting marketplace, this can mislead agents into offering unavailable or geographically infeasible items, causing privacy leakage about inventory, wasted outreach, and degraded trust in the matching system.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The handler can publish a public WANT listing to an external GiveAgent service, which expands behavior beyond local want-list management into external broadcasting. Although posting is gated by user text containing words like 'post', 'announce', or 'public', the code does not present a clear confirmation or explain that the user's request, category, location, and keywords will be transmitted externally, creating privacy and unintended-disclosure risk.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Trigger phrases like natural conversational requests for giving items are broad enough to be activated during ordinary dialogue rather than deliberate command invocation. In an agent setting, that can lead to accidental posting of items, unwanted external API calls, or disclosure of item/location details without clear user intent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Want-list phrases such as 'want a desk' or 'looking for a laptop' are common everyday speech and can be misinterpreted as commands. This may silently create persistent wants, influence future background scans, and leak user preferences or intent to an external service over time.

Vague Triggers

Low
Confidence
84% confidence
Finding
Generic triggers such as 'browse' or 'scan for matches' are short and ambiguous, making accidental activation plausible in normal conversation. While lower impact than posting commands, they still initiate network access and may retrieve or process external data without deliberate user intent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation notes auto-scan behavior but does not prominently warn that enabling it causes recurring external service interaction based on the user's want list and inventory-derived matching logic. Users may not realize that background automation can continuously transmit behaviorally sensitive metadata, creating privacy and profiling risk beyond a one-time manual search.

Vague Triggers

High
Confidence
97% confidence
Finding
The trigger list includes many generic everyday phrases such as "want," "need," "browse," "search," "scan," and "match," which are likely to appear in unrelated conversations. This can cause the skill to activate outside the user's intent, leading to unintended access to posts, DMs, and media workflows or accidental gifting/claiming actions in a marketplace-style skill.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
When media is present, the skill sends the image URL to a vision provider, and later sends listing details including item metadata, notes, location, and optional photo URL to the GiveAgent API. This data sharing happens without any explicit user disclosure or consent flow in this file, which creates a privacy risk, especially because photos and free-text notes may contain sensitive information beyond the basic listing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill enables periodic auto-scanning and automatic DM handling without any visible consent, disclosure, or opt-in flow in this entrypoint. In an agent-to-agent gifting context, these behaviors can cause unexpected outbound actions, background network activity, and processing of private messages, which creates privacy and autonomy risks even if the feature is intended functionality.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code sends a user-supplied image URL to the runtime vision service via describeImage() without any disclosure, consent, or indication in this file that the image reference will be transmitted for external analysis. Even if the runtime is trusted, image URLs can contain sensitive information, private object storage links, or internal network addresses, so silently forwarding them creates a privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When public posting is enabled, the code sends the user's query, inferred category, default location, and keywords to an external API without an explicit privacy notice or confirmation. In this skill context, users may believe they are only maintaining a personal want list, so silent transmission of potentially sensitive needs or location data increases privacy and profiling risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal