ClawHub

Mobazha Product Import

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a coherent Mobazha listing-migration helper, with some guardrails users should apply around authorization and image downloads.

Use this skill only for your own Mobazha store and catalogs you own or are authorized to migrate. Before letting it download images, review the source URLs, avoid localhost/private-network links, set practical size and count limits, and delete temporary ZIP/media files when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description is broadly phrased around importing, migrating, or copying listings from multiple platforms, which can cause the agent to activate in response to generic requests that do not clearly establish authorization or ownership of the source data. In a commerce context, over-broad triggering increases the chance of assisting with unauthorized copying of third-party catalogs or initiating actions before provenance and permission are verified.

Vague Triggers

Low
Confidence
80% confidence
Finding
Referring to 'other e-commerce platforms' without scope limits makes the skill applicable to undefined sources, including sites where scraping, copying, or bulk extraction may be unauthorized or legally restricted. That ambiguity expands the operational surface of the skill and can normalize unsafe use on unsupported or third-party platforms.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document explicitly instructs the agent to download external image URLs to local files and package them into a ZIP, but it provides no requirement for user consent, allowlisting, scheme restrictions, or safeguards around network access and filesystem writes. In an agent context, this can enable unintended outbound requests and local file creation based on untrusted product data, increasing SSRF, privacy, and resource-abuse risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal