ClawHub

Dataify Ebay Products

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed wrapper for submitting eBay product collection jobs to Dataify using the user's API token, with no hidden persistence or unrelated data access found.

Install this only if you intend to let the agent submit Dataify eBay product collection jobs. Review the task parameters before approving a run, and only save DATAIFY_API_TOKEN locally if you are comfortable with future agent sessions using that credential for Dataify submissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The invocation description is extremely broad and includes catch-all language such as 'or similar' and troubleshooting/token-handling scenarios, which can cause the skill to trigger outside the user's precise intent. Over-broad routing increases the chance that a conversation about tokens, scraping, or eBay data gets diverted into a networked action path that uses credentials or submits jobs unexpectedly.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill enables implicit invocation while the metadata only provides broad natural-language matching criteria in the description and no narrow, enforceable trigger constraints in the policy. This can cause the agent to auto-select the skill for loosely related eBay scraping or troubleshooting requests, leading to unintended external task submission, data collection actions, or misuse of the configured API token without sufficiently explicit user intent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal