ClawHub

Ecommerce Product Pro

Security checks across malware telemetry and agentic risk

Overview

The skill does not show malware, but it markets real ecommerce research while generating synthetic business data and includes an under-protected off-platform payment workflow.

Review carefully before installing. Treat the product, supplier, revenue, and trend outputs as simulated unless the publisher provides real data sources and provenance. Do not rely on it for inventory, sourcing, ad spend, or financial decisions without independent verification, and avoid off-platform payments or sending payment screenshots unless you can verify the seller and terms through trusted channels.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The analyzeProduct method presents itself as product analysis but returns entirely random synthetic metrics while accepting real-looking identifiers like ASIN or URL. In an ecommerce research skill, this can mislead users into making purchasing or inventory decisions based on fabricated data, creating a deceptive-output integrity issue.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The findSuppliers method claims supplier discovery but generates fake supplier entries and randomized attributes such as verification status, rating, and location. Users may rely on nonexistent or misrepresented supplier information for sourcing decisions, which is especially risky in a business procurement context.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The trackTrends method implies genuine market trend tracking, but all demand, growth, social mentions, and Google Trends values are randomly synthesized. In the context of ecommerce product research, fabricated trend signals can directly distort strategic decisions about product selection, ad spend, and inventory planning.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill includes direct off-platform payment instructions via Alipay and tells users to send payment screenshots plus category details through external contact channels, without any privacy, fraud, or secure-handling warning. This creates a social-engineering and privacy risk because users may disclose financial metadata and personal contact information outside the platform's protections, and attackers or impersonators could exploit the workflow.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal