ClawHub

Smart Price Monitor

Security checks across malware telemetry and agentic risk

Overview

This is a coherent price-monitoring skill that saves local monitoring data and can optionally support alerts, with some broad wording users should treat carefully.

Install if you want a local price-monitoring helper and are comfortable with monitored URLs, target prices, history, alerts, and reports being saved under a local price-monitor-data directory. Use permitted APIs or scraping paths, avoid sensitive private targets unless you control the storage and alert recipients, and do not grant purchase authority because the artifacts only support monitoring and recommendations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs the agent to create and maintain persistent local files such as monitors.json, history logs, reports, and alerts, but no explicit permissions are declared. This creates a capability/consent mismatch: users may invoke a seemingly simple monitoring skill without clear disclosure that it can read environment data and write persistent files, increasing risk of unintended data retention or misuse of connected tooling.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation text is extremely broad, positioning the skill as the default for almost any real-world monitoring, scraping, market watch, or data extraction request. Overbroad triggering can cause the skill to activate in contexts the user did not intend, leading to unsolicited web scraping, data collection, persistence, or outbound alert setup beyond the principle of least astonishment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly directs persistent storage of monitoring data and supports outbound delivery via notifications, Slack, and email, yet it provides no user-facing warning about retention, sensitive URLs, competitor intelligence data, or where alerts will be sent. In this context, the risk is elevated because the skill is designed for ongoing collection of third-party and potentially business-sensitive data, making silent storage and transmission more privacy-impacting than a one-off extraction task.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal