ClawHub

Niche - Peer to Peer Trading Cards Marketplace

Security checks across malware telemetry and agentic risk

Overview

This skill has a clear marketplace purpose, but it asks the agent to use an unreviewed external CLI for wallet, escrow, payment, and scheduled background actions.

Review before installing. Use only with testnet or disposable accounts unless you can verify the `niche` CLI source, backend ownership, credential handling, and cron behavior. Require explicit approval before any login, browser transaction flow, listing change, deposit, confirmation, cancellation, refund, funding, or dispute action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The agent guidance encourages automatic setup and transactional actions around deposits and confirmations, but does not require explicit, per-action user consent before initiating browser flows or irreversible fund-moving steps. In a financial skill, vague activation rules can cause an agent to trigger login, deposit, or purchase-completion flows from ambiguous user requests, increasing the risk of unauthorized or mistaken transactions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explains browser-based login and hosted backend architecture, but it does not present an upfront privacy and data-handling warning before steering users into hosted pages and third-party services. Users may not realize that authentication, passkey registration, wallet creation, browsing, and transaction flows involve external services and backend processing, which can lead to uninformed disclosure of personal or wallet-related data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal