ClawHub

Taobao Automation

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Taobao store operations helper with disclosed automation risks, not hidden or destructive behavior.

Install only if you want Taobao store automation. Before enabling recurring reports or monitoring, decide which shop metrics may be read, which chats or calendars may receive them, which competitor pages may be checked, how often jobs run, and how to stop them. Use least-privilege credentials and follow Taobao and third-party site rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill describes scheduled delivery of store metrics to Feishu/WeChat, which transfers potentially sensitive business data to third-party messaging platforms without explicit user consent flow, data classification, or warning about external transmission. This creates confidentiality and compliance risk, especially if reports include sales, performance, or operational data and are sent to misconfigured chats or external recipients.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The competitor monitoring workflow explicitly promotes periodic automated scraping of competitor pages but does not warn about external automated access, rate limits, or possible violations of platform terms and anti-bot controls. In context, the scheduled nature of the scraping increases the chance of abusive behavior, account blocking, or legal/policy issues if operators deploy it indiscriminately.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal