ClawHub

Listing Swarm

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it needs review because it can bulk-submit public listings, use paid captcha services, and read a mailbox for verification with imperfect disclosure and target scoping.

Install only if you intentionally want an agent to submit public listings for you across many third-party sites. Use a dedicated submission mailbox with an app password, not a personal inbox; review or limit the directory list first; avoid HTTP and mismatched third-party submit URLs; expect captcha-service charges; and revoke CAPTCHA and IMAP credentials after the submission campaign.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill declares access to sensitive environment variables and clearly requires networked interactions with many third-party sites, yet the analysis indicates these capabilities are not explicitly declared as permissions. That creates a transparency and governance gap: users and policy systems may not fully understand that the skill can read secrets and transmit data externally, which increases the chance of overbroad trust or accidental misuse.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation makes a materially misleading privacy claim by stating the skill does not access the user's email inbox, while later explicitly describing optional IMAP inbox access for automated verification. This can cause users to grant mailbox credentials under false assumptions, increasing the risk of overbroad trust and unintended exposure of email contents and verification links.

Intent-Code Divergence

Low
Confidence
83% confidence
Finding
The statement that 'Nothing else goes anywhere' is inaccurate because the documented workflow involves interacting with external email infrastructure and using credentials to access mailbox contents for verification flows. Even if credentials are not stored by the skill, the claim understates external data handling and may mislead users about what systems receive or process their data.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This entry set includes submit targets that are not clearly the named AI directory's own submission page, including direct payment pages or unrelated services. In a skill whose purpose is to automate browsing, form filling, captcha solving, and email verification across many sites, this materially increases the risk of sending user data or triggering actions on unintended destinations.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
These records point the named directory to different third-party platforms, which undermines the claim that the agent is submitting to the stated AI directory. Because the skill automates external interactions and may use user-provided API keys, inbox access, and captcha-solving services, mismapped targets create a real risk of data disclosure, account creation on unintended services, or deceptive redirection.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
Including HTTP-only submission targets is unsafe for a tool that automates submissions and may handle sensitive product details, email verification flows, and user-supplied keys during browsing sessions. Unencrypted transport enables interception or tampering by network attackers, potentially altering forms, stealing data, or redirecting the automation to malicious content.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invocation guidance is broad enough that an agent could be prompted to perform mass automated submissions and related account/email actions without strong scoping, user confirmation checkpoints, or exclusions. In a skill that can read IMAP credentials and submit data to 70+ external sites, weak trigger boundaries increase the risk of unintended data transmission, spam-like behavior, or use on the wrong product/account context.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill automates sending product details, contact email, and potentially verification-related data to a large number of third-party directory sites, but the description does not prominently warn users about this external data sharing. That omission can lead users to provide business and mailbox data without fully understanding the breadth of disclosure, especially since 70+ destinations are involved.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code sends captcha images, site keys, page URLs, and related page context to third-party captcha-solving services. In this skill's context, that is expected functionality, but it still creates a real privacy and data-handling risk because sensitive browsing context or challenge contents may be disclosed to external processors without explicit runtime consent or clear user warning.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal