ClawHub

Seller Profit Calculator

Security checks across malware telemetry and agentic risk

Overview

This skill appears to process uploaded e-commerce spreadsheets locally for profit reporting, with no artifact-backed evidence of hidden data transmission or harmful behavior.

Use local mode with redacted or synthetic exports first, especially if spreadsheets contain customer names, addresses, phone numbers, order IDs, or store financials. Do not rely on the README's --api example or provide PROFIT_API_KEY unless the publisher supplies clear hosted-processing documentation and an updated script that explains what data is sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

High
Confidence
96% confidence
Finding
The README instructs users to enable `--api` mode with an API key but does not warn that order exports may be transmitted to a hosted service, which can expose sensitive business and customer data off-device without informed consent. In a tool handling order spreadsheets from many platforms, this omission increases the risk of privacy, confidentiality, and compliance issues if users assume processing remains local.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly says the agent reads headers and sample rows from uploaded order exports for LLM-based field inference, but it does not warn users that these files may contain sensitive commercial and personal data. Because sample rows can include customer identifiers, addresses, phone numbers, pricing, and store performance data, sending them to an AI analysis flow without a clear disclosure creates a real privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script outputs spreadsheet headers and up to three sample rows directly to stdout or writes them to a JSON file, which can expose sensitive business or customer data from uploaded order exports. In this skill context, the input files are likely to contain order identifiers, financial values, and possibly personal or operational data, so unredacted sampling creates a real data-leak risk through logs, terminals, shared workspaces, or downstream artifacts.

VirusTotal

No VirusTotal findings

View on VirusTotal