ClawHub

Pinduoduo Listing

Security checks across malware telemetry and agentic risk

Overview

This skill is a local Pinduoduo copy generator, but it needs review because it can produce misleading sales claims, comparison claims, and review-incentive language as ready-to-use marketing copy.

Install only if you are prepared to manually review and rewrite outputs before publishing. Do not use any generated buyer counts, review rates, repurchase rates, same-factory/same-quality claims, scarcity claims, or review incentives unless you can substantiate them and they comply with marketplace rules. Avoid entering confidential campaign details into the generic script unless local logging is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill generates reusable product copy containing fabricated social proof and unverifiable claims such as buyer counts, repurchase rates, and quality equivalence. Because it is packaged as a marketing generator, users may deploy these statements as if they were factual, creating deception, consumer protection, and platform-policy risk at scale.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The comparison templates invent competitor prices and assert 'same quality', 'same factory', and similar equivalence claims without any evidence. This can mislead buyers and expose operators to false advertising, unfair competition, and marketplace enforcement actions, especially because the script presents the generated content as ready-to-use copy.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The review follow-up templates offer coupons, cashback, gifts, and discounts in exchange for追评/晒图, which can incentivize biased or manipulated reviews. This undermines review integrity and can violate platform rules and consumer law, making the skill materially risky even though it is framed as customer-service content.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script records user-supplied content into a local history file without notice, consent, or controls. In this skill context, users may enter sensitive business plans, marketing copy, keywords, or proprietary campaign details, so silent persistence increases the risk of unintended disclosure to other local users, backup systems, or support tooling.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal