ClawHub

1688 Scraper

Security checks across malware telemetry and agentic risk

Overview

This skill matches its stated purpose: it scrapes 1688 product pages and saves product images plus a JSON file locally, with no evidence of hidden exfiltration or destructive behavior.

Before installing, confirm you are comfortable with the skill opening 1688 pages, downloading product images, and writing JSON plus image folders to your Desktop or chosen output path. Run it first on a single product URL, watch disk usage for large products, and consider 1688/Alibaba platform rules and any privacy obligations around saving review or shop data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly writes downloaded images and a JSON data package to the user's Desktop, but the description does not clearly warn the user before performing this local file creation. This creates a consent and privacy risk because users may trigger the skill expecting page extraction only, while it persists potentially large or sensitive merchant data and media onto local storage.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill explicitly saves a JSON package and bulk-downloaded image folders to the local desktop, but it does not warn the user that running it will create potentially large numbers of files and consume local disk space. While this is not an advanced exploit, silent local file creation can surprise users, clutter sensitive environments, and cause resource or data-management issues when scraping many products.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The skill describes collecting extensive product, shop, SKU, and user review data but provides no privacy or data-handling notice about what is stored, how long it is retained, or whether downstream use may implicate platform rules or personal data considerations. In context, the scraped content appears mostly commercial and public, which limits severity, but omission of disclosure still creates avoidable compliance and privacy risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal