ClawHub

3D Pet Checkout Test

Security checks across malware telemetry and agentic risk

Overview

This checkout-testing skill mostly matches its purpose, but it embeds a real-looking Joyarti login and forces detailed reports to a fixed Feishu chat.

Review before installing. Use only a disposable test account, remove the embedded email/password, replace the fixed Feishu chat with a destination you control, redact account and project details from reports, and confirm the npx/agent-browser CDP helper is acceptable in your environment. Do not run it against production accounts or payment-adjacent flows unless you have explicit authorization and cost controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill uses shell, file access, and network operations but does not declare any permissions or capability boundaries. This is dangerous because operators and policy systems cannot accurately assess or constrain what the skill may do, especially given that it handles credentials, local files, browser automation, and external messaging.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose is a bounded checkout test, but the described behavior includes CDP attachment, local daemon interaction, arbitrary tab discovery by URL keyword, and script-based upload flow that is broader than a simple test description suggests. This mismatch is dangerous because reviewers may approve the skill for benign automation while it has access patterns that can attach to or inspect unintended browser tabs and local services.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The workflow forces repeated outbound Feishu messages to a fixed chat for every step, including failures and a final report. This creates an unnecessary external communication channel beyond local checkout testing and can exfiltrate operational state and test data to a hard-coded third party destination.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The workflow invokes shell commands, curl, and Python scripts to download remote content, run a local CDP upload helper, and poll local debugging endpoints. These are powerful general-purpose execution capabilities that substantially exceed what a narrowly scoped browser checkout test should require and increase the blast radius for abuse or compromise.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill claims to test a purchase flow, but it hard-codes a real email/password, logs into a live site, downloads a remote image, and runs external scripts. This is materially broader than descriptive testing logic and exposes credentials and production-side actions in a reusable workflow.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Trigger phrases such as '测试下单' or '运行工作流' are generic enough to cause accidental or unintended invocation. In a skill that logs in with real credentials, uploads files, polls local browser state, and sends external notifications, unintended activation can cause privacy exposure and unauthorized actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs use of account credentials and Feishu delivery but does not provide clear privacy and sensitive-data handling warnings. This is dangerous because users may unknowingly expose login details, account identifiers, operational status, or other sensitive workflow outputs to external systems.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The final report template includes the account identifier and operational details without warning that these may be disclosed in chat messages or logs. Even if only an email address is shown, this can expose personal or business identifiers and enable correlation of test activity.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The workflow lacks clear invocation boundaries, disallowed contexts, and environmental preconditions, despite containing login, upload, checkout-navigation, messaging, and local command execution behavior. Without explicit scope restrictions, it is easier to trigger in unintended contexts or against real user accounts and production systems.

Ssd 3

Medium
Confidence
93% confidence
Finding
The skill requires sending step-by-step status and the final report, including account identifier and run details, to an external Feishu target in plain language. This is dangerous because external chat channels may be misconfigured, broadly accessible, retained indefinitely, or monitored, resulting in unnecessary disclosure of sensitive operational data.

Ssd 3

High
Confidence
99% confidence
Finding
The workflow explicitly instructs the agent to send account-related progress and full test details over an external messaging channel. This is a natural-language-driven exfiltration path that can leak sensitive operational data, identifiers, and workflow results outside the execution environment.

Ssd 3

High
Confidence
99% confidence
Finding
The Step A completion message requires disclosing the exact login account email in plaintext to the external Feishu chat. That unnecessarily exposes account identity and creates a direct leakage of user or credential-associated information to a fixed external recipient.

Ssd 3

Medium
Confidence
90% confidence
Finding
The workflow requires periodic status reporting during generation and then explicitly sends the projectId on completion. Project identifiers can link to in-progress assets or internal records, so repeatedly exposing them to an external channel creates unnecessary metadata leakage and may enable follow-on access or correlation.

Ssd 3

High
Confidence
99% confidence
Finding
The final report aggregates and exports the account, projectId, product details, price, timing, and result state to an external chat. This concentrated semantic summary increases sensitivity because it packages multiple data points into a reusable exfiltration artifact.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal