ClawHub

SP3ND — Buy from Amazon & eBay with USDC

Security checks across malware telemetry and agentic risk

Overview

The skill is transparent and purpose-aligned, but it gives an agent real-money autonomous purchasing power and handles sensitive wallet and shipping data without strong built-in limits.

Install only if you intentionally want an agent to place real orders and spend funded USDC. Use a dedicated wallet with a small balance, protect `.wallet.json` like cash, require your own approval or spend-limit gate before payment, and share only shipping/contact details you are comfortable sending to SP3ND and fulfillment providers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly promotes wallet generation, autonomous purchasing, payment, and credential regeneration for a financial workflow, but does not include any warning about irreversible blockchain transfers, safe private key handling, spending limits, or the need for human confirmation before orders are placed. In the context of an agent skill for real-money purchases, this omission materially increases the chance of unsafe deployment and accidental financial loss.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill is explicitly designed to let an agent autonomously purchase real-world goods with funded crypto, but it does not define strict invocation boundaries, spending constraints, approved merchant/item categories, or refusal conditions. In the context of an agent platform, this creates a real risk of prompt-triggered unauthorized purchases, abuse by downstream agents, or financial loss from acting on ambiguous or malicious instructions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The manifest explicitly collects and transmits customer_email plus detailed shipping data including full name, address, postal code, country, and phone number, but provides no privacy notice, retention policy, consent guidance, or handling constraints. In a purchasing skill that enables autonomous order creation, this increases the risk of unnecessary exposure of personally identifiable information and makes misuse or overcollection more likely.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal