ClawHub

Gurkerl

Security checks across malware telemetry and agentic risk

Overview

This grocery-shopping skill is coherent overall, but it needs review because it uses account passwords and exposes tools that can place or change orders, affect credits, and send support email without clear confirmation guidance.

Install only if you trust the agent and have verified the actual Gurkerl CLI and MCP endpoint. Avoid persistent password storage unless necessary, protect any service configuration containing credentials, and require the agent to ask before placing orders, changing payment or delivery details, cancelling orders, filing claims, requesting credits, changing deposits, or sending support email.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The manifest describes the skill as grocery shopping, but the documented toolset also includes broader capabilities such as customer support contact, sending email on the user's behalf, job listings, and arbitrary URL content retrieval. This mismatch can mislead users or higher-level agents about the true privilege scope, increasing the chance that sensitive or out-of-scope actions are invoked without appropriate scrutiny.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The `get_url_content` capability allows retrieval of arbitrary URL content, which is much broader than the stated grocery-shopping purpose. In an agent setting, this can be abused for unintended network access, prompt injection through fetched remote content, or use as a general web fetch primitive outside the user's expectations.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The `email_support_on_user_behalf` tool enables outbound communication as the user, which can cause unauthorized messages, disclosure of account/order details, or social engineering against support channels if triggered without explicit consent. This exceeds the narrow shopping-management description and creates real-world account and privacy consequences.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The setup instructions direct users to store account email and password in environment variables and a persistent systemd user service configuration without any warning about credential exposure risks. Environment variables and service files can be readable to local processes, logged, or left behind on disk, increasing the chance of account compromise.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill documents many destructive or account-affecting operations—such as clearing carts, submitting checkout, canceling orders, changing payment or timeslots, filing claims, and sending support email—without warning that these actions should require explicit confirmation. In an agentic workflow, lack of confirmation guidance raises the risk of accidental purchases, order changes, or support actions with financial and privacy consequences.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal