ClawHub

Ecommerce Automation

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned for ecommerce automation, but it may affect live store data without enough visible guardrails.

Install only if you are prepared to tightly scope it: start read-only or sandboxed, require confirmation before any inventory, listing, pricing, or order-state change, limit credentials to the minimum needed, and review alert contents for sensitive data before sending them to email, Slack, SMS, or similar channels.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill promotes auto-processing orders and cross-platform syncing that can change inventory, listings, and order state in live commerce systems, but it does not clearly warn users that these are write-capable actions with business-impacting consequences. In this context, accidental activation, misconfiguration, or overly broad workflow scope could cause overselling, incorrect listings, price changes, or fulfillment errors across multiple connected platforms.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The skill encourages competitor scraping, monitoring, and outbound alerts/reporting, but it does not advise users about privacy, terms-of-service, or data-handling obligations when collecting external website data and transmitting store-derived information through email, Slack, SMS, or similar channels. This omission can lead to unauthorized collection, policy violations, or unintended disclosure of business-sensitive data.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal