ClawHub

Ecommerce Listing

Security checks across malware telemetry and agentic risk

Overview

This skill is a public product-listing extractor with some overbroad wording and a small local notes file, but the artifacts do not show hidden data theft, destructive behavior, or credential use.

Install only if you want an agent to navigate public e-commerce listing pages and extract visible product fields. Be aware it may keep a small local troubleshooting memory file in the working directory, and its advertised search/filter coverage may be broader than what the included scripts actually handle.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tp4

High
Category
MCP Tool Poisoning
Confidence
99% confidence
Finding
This is a mismatch because the description promises a much broader product-search and filtered extraction capability than the code implements. The code only generates browser-side JavaScript for two narrow tasks: extracting products present on the current page and detecting the next page link. It does not initiate searches, consume user-provided keywords or URLs, apply any filters, crawl across pages, or implement specific Walmart/Google Shopping handling. While some declared targets like Amazon, eBay, WooCommerce, Shopify, and generic public product listing pages are partially reflected, the overall declared functionality materially overstates the actual behavior.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
Line L033 defines the operational boundary as only reading data already displayed to the user on the page. However, L157-L162 add persistent local-file behavior: reading a prior memory file before execution and appending new notes after execution. That goes beyond pure on-page extraction as described in the manifest and capability boundary.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The statement at L033 asserts a read-only boundary focused on browser-visible page data. This is contradicted by L159-L162, which direct the agent to read an existing file and append new content after execution. That is an active contradiction in the skill's own documentation, not merely an omitted detail.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The description's "Use when" list includes broad phrases such as "search for products," "list products from a site," and "get all products from category," alongside many variants without clear scope limits or exclusion conditions. In a manifest-style description, this can cause unintended invocation for generic shopping or browsing requests rather than narrowly targeted extraction tasks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The markdown instructs the agent to read from and append to a local memory file, which is a file write affecting user/workspace data. The document does not clearly warn the user that execution may persist notes to disk or describe this storage behavior near the instruction.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal