ClawHub

Ecommerce Seller Info

Security checks across malware telemetry and agentic risk

Overview

This skill reads public marketplace seller pages to extract seller profile details, with no hidden install behavior or credential access.

Install if you want an agent to inspect public Amazon, eBay, or similar seller profile pages. Use it on seller or storefront URLs, and review results before sharing them because profile descriptions, images, and page URLs may be included in the output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Low
Confidence
94% confidence
Finding
The skill extracts and returns fields beyond the manifest’s advertised scope, including description, image, and URL. This creates a data minimization and transparency issue: callers may trust the manifest to describe all collected outputs, but the code quietly gathers additional profile data, which can lead to unintended disclosure or policy noncompliance.

Description-Behavior Mismatch

Low
Confidence
95% confidence
Finding
The generic fallback extracts seller description even though the skill description only promises core seller profile metadata like name, rating, review count, joined date, and return policy. While not an exploit primitive, this is still a real overcollection issue because it broadens returned data in a way users and platform reviewers would not expect.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill description includes a very broad set of trigger phrases such as general seller research, merchant rating, store information, and vendor analysis, which can cause the agent to invoke this skill for loosely related requests outside a narrow seller-profile extraction context. Over-broad routing increases the chance of unintended browser automation on third-party pages and can lead to scope creep, incorrect tool selection, or unnecessary collection of marketplace profile data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal