ClawHub

Luogang shopping assistant

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only shopping skill that queries a Luogang product service and presents purchase links, with no hidden code, persistence, credentials, ordering, or payment authority.

Install this if you want shopping queries routed to Luogang's product lookup service. Avoid including unrelated personal information in searches, and review any H5 or mini-program purchase page yourself before buying.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger examples for product search are very broad everyday shopping phrases such as '买鞋子' and '有没有外套', which can cause the skill to activate in many generic conversations. Because the skill sends user queries to a remote MCP service, overbroad activation increases the chance of unintended external transmission of user input and misrouting of general requests.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The detail-view triggers like '查看详情', '这个多少钱', and '还有货吗' are ambiguous because they could refer to almost any object mentioned in conversation, not specifically a Luogang product. In context, this matters because the skill may fetch remote product data or infer product context incorrectly, causing unintended tool use and unnecessary data disclosure to the external service.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to call a remote MCP endpoint for realtime product lookup, but it does not warn that user queries and selected parameters will be transmitted to an external service. This creates a privacy and transparency issue, especially if users include personal preferences, shopping intent, or other sensitive details in freeform queries.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal