ClawHub

test-publish

Security checks across malware telemetry and agentic risk

Overview

This skill is aligned with product publishing, but it performs live browser automation with hard-coded login credentials and no final confirmation before sending.

Review carefully before installing. Only use this if you trust the publisher, understand what the embedded account can access, and are comfortable with an automatic live send action through a raw HTTP service. A safer version would use user-managed credentials, document the target service, show a preview, and require explicit confirmation before publishing or submitting anything.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill’s declared purpose is limited to publishing products to Ozon, but the referenced behavior includes hardcoded login, access to a fixed IP/service, screenshot capture, and broad UI automation that are not transparently disclosed in the skill contract. This creates a significant trust-boundary violation: users may authorize a narrow business workflow while the implementation performs additional sensitive actions that could expose credentials, internal services, or unrelated page data.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The implementation does not match the advertised business purpose and instead automates a generic internal-looking web UI using hardcoded credentials and a blind send action. This mismatch is dangerous because reviewers or users may grant the skill trust and permissions based on the manifest description while the script performs opaque remote actions on a different system.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The comments and CLI description frame the script as harmless dropdown interaction and screenshot capture, but the code also logs into a remote service and clicks a send button that may trigger external side effects. Misleading documentation reduces informed consent and increases the chance that operators execute the script without understanding it will authenticate and submit actions to a live system.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The trigger condition is broad enough that normal conversation about listing or publishing products could activate a real browser-driven workflow without sufficiently explicit user intent. In an automation skill that can perform external actions, ambiguous activation increases the risk of unintended product publication or unauthorized operational changes.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill does not clearly warn users that it will directly control a browser and perform publishing actions on their behalf. That omission undermines informed consent and can lead users to disclose parameters or invoke the skill without understanding that it may carry out irreversible marketplace operations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script performs a potentially irreversible send operation automatically after selecting inputs, with no confirmation, preview, or validation of what will be submitted. In this skill context, the action appears related to product distribution or publishing, so accidental or unauthorized execution could cause unintended listings, data transmission, or business workflow changes on the remote platform.

VirusTotal

47/47 vendors flagged this skill as clean.

View on VirusTotal