Back to plugin

Security audit

TangleClaw eBay Research

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed, read-only eBay research plugin that uses local eBay app credentials only to call eBay APIs and cache an app token.

Install only if you are comfortable storing your own eBay developer App ID and Cert ID on the OpenClaw host. Keep the credentials and token paths private with restrictive permissions, use sandbox first when possible, leave Marketplace Insights disabled unless eBay has granted access, and avoid wiring the tools into bulk scraping or high-frequency polling workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Credential Access

High
Category
Privilege Escalation
Content
# eBay Research operator

You have 7 direct-REST tools that talk straight to eBay's REST APIs (Browse, Taxonomy, Marketplace Insights) using a `client_credentials` OAuth flow — an app token, NOT a per-seller token. No MCP, no third-party gateway. The plugin reads its credentials from `~/.openclaw/secrets/ebay-research-credentials.json`.

## Rule zero: never narrate, always re-call
Confidence
70% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
### Diagnostic: "ebay isn't working" / "no results"

1. `ebay_research_auth_status` — confirms credentials are in place and which environment is active.
2. If `connected: false` and `credentials_present: false` → tell the operator to drop a credentials JSON at the configured `credentialsPath` (default `~/.openclaw/secrets/ebay-research-credentials.json`).
3. If `connected: false` but `credentials_present: true` → the next tool call will trigger a token refresh; just retry their original query.

## Cross-plugin handoff
Confidence
70% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
| Need | Tool | Notes |
| --- | --- | --- |
| Is the plugin connected to eBay? | `ebay_research_auth_status` | Returns environment (sandbox/production), cached-token expiry, and a `reason` field when not connected. NEVER echoes the access token itself. Call when something's failing and you want to confirm credentials are in place. |

## Insights gating: read this before calling sold-history
Confidence
70% confidence
Finding
access token

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/auth.js:156
Evidence
access_token: [REDACTED],