ClawHub

VIP

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Vipshop shopping helper, but it can use a logged-in account to change your cart and prepare an order preview before leaving payment to you.

Before installing, understand that this skill is meant to operate in your Vipshop browser session after you approve login-related actions. Let it search and prepare a cart only for items you choose, then manually verify address, coupons, totals, and payment yourself.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Medium
What this means

If enabled after login, the agent could add selected products to the cart, apply discounts, and move to an order preview, so the cart or coupon selection may change before the user pays.

Why it was flagged

The skill documents browser actions that modify the user's cart and enter checkout/order-preview flow. This is aligned with the shopping purpose and bounded by stated payment rules, but it is still account-impacting automation.

Skill content
// Add to cart
browser.click(".add-cart-btn")
...
// Proceed to checkout
browser.click(".checkout-btn")
Recommendation

Use it only for items you have selected, review cart, address, coupons, and totals carefully, and keep final order submission/payment manual.

#
ASI03: Identity and Privilege Abuse
Medium
What this means

The agent may see and act within logged-in account areas such as cart contents, available coupons, delivery address, and order totals.

Why it was flagged

The skill expects use of the user's logged-in Vipshop account for cart, coupon, address, and order-preview actions. It asks for confirmation before login, making this disclosed and purpose-aligned, but it still uses delegated account authority.

Skill content
Cart Phase (⚠️ Requires login) ... "请确认是否继续?" ... Add to cart ... Apply 优惠券 ... Select address ... Generate order preview
Recommendation

Only proceed after explicit consent, avoid exposing payment credentials, and log out or close the session when finished if you do not want further account access.