ClawHub

Ecommerce Product Pro

Security checks across malware telemetry and agentic risk

Overview

This skill appears safe for the local system, but it presents random simulated ecommerce data as product, supplier, and trend intelligence users might rely on for business decisions.

Install only if you treat it as a demo or rough calculator. Do not rely on its product, supplier, sales, review, or trend outputs for purchasing, inventory, pricing, ad spend, or sourcing decisions unless the maintainer adds real data sources and clear provenance. Avoid providing real API keys until the provider, scope, and use of the key are documented.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The method is presented as analyzing a specific ASIN or URL, but it ignores the supplied identifier and returns random synthetic metrics. This is a deceptive mismatch between documented behavior and actual behavior, which can mislead users into making business decisions based on fabricated data rather than real product intelligence.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The supplier search function claims to find suppliers for a requested product, but it fabricates supplier entries and does not actually search based on the user input. In an ecommerce sourcing context, this can cause users to rely on nonexistent or irrelevant suppliers, leading to financial loss, wasted time, and poor procurement decisions.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The trend-tracking feature implies real market monitoring but instead generates synthetic trend values using randomness. Because this skill is marketed as product research for Amazon FBA, Shopify, and dropshipping, fabricated trend data is especially risky: users may choose products, inventory levels, or ad spend based on false signals.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal