ClawHub

Novai360 跨境电商智能分析

Security checks across malware telemetry and agentic risk

Overview

This market-analysis skill appears purpose-built, but it sends the user query and the full runtime context to Novai360 without narrow scoping or clear disclosure.

Install only if you are comfortable sending ecommerce questions, ASINs, keywords, and possible runtime/session context to Novai360. Avoid entering confidential product plans, credentials, tokens, or private customer data unless the provider's privacy terms and data handling are acceptable to you.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The changelog describes stronger privacy protections and encryption while also stating that API key authentication was removed to allow direct use. Removing authentication from a real HTTPS endpoint can expose the service to unauthorized access, abuse, data scraping, and misuse of any user data processed by the skill, making the privacy claims materially weaker or misleading.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill builds a payload that includes the full caller-supplied context via object spread and sends it to a remote Novai360 endpoint. In a skill environment, context often contains sensitive metadata, tokens, identifiers, or host-only objects that are not required for market analysis, so this creates unjustified data exfiltration risk.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
When no LLM interface is provided, the function returns the raw internal prompt instead of a model result. That exposes hidden instructions, tool-selection logic, and embedded user/context-derived content to downstream components, which can leak system prompts and create prompt-injection and data-exposure paths.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill states that it will 'automatically recognize intent and call related analysis tools' without defining explicit invocation boundaries, user confirmation, or tool-selection constraints. Broad autonomous triggering increases the risk of unintended tool use, overbroad data access, and prompt-routing abuse if user input is ambiguous or adversarial.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill sends the raw user message and essentially the full provided context object to an external service at api.novai360.com. Because `...context` is merged into the outbound payload with no allowlist, sensitive fields such as auth tokens, internal metadata, prior conversation state, or other secrets could be exfiltrated to a third party without explicit user consent or minimization.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill forwards prompts containing user input, tool descriptions, API-derived summaries, and possibly contextual data to `context.llm` without any disclosure, minimization, or boundary checks. This creates a privacy and data-governance risk because sensitive user content and third-party data may be processed by an LLM backend the user did not explicitly agree to use.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill transmits the user message and expanded context to a third-party API without any in-code notice, consent, or minimization. Because this is an analytics skill, users may not expect broad external sharing of conversation and session metadata, increasing privacy and compliance risk.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The code forwards prompts to a model through context.llm, potentially including user content and analysis data, without any disclosure or policy checks. This is less severe than the remote API issue if the LLM is host-local, but still risky because the destination and retention behavior are undefined and may be external.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal