ClawHub

insight-ecom-oracle

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real paid prompt-library skill, but it needs Review because broad triggers can send user queries and IDs to an external service and route users to off-platform payment.

Install only if you are comfortable with your search terms and skill-specific user ID being sent to the listed external backend, and verify the Afdian payment page, price, and operator identity before paying. Avoid using sensitive business details in prompts that might trigger this skill accidentally, especially because some trigger phrases are broad.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill describes calling an external LAF API and directing users to an external payment URL, which are network-capable behaviors, yet no permissions are declared. Undeclared network use reduces transparency and platform enforcement, making it easier for the skill to exfiltrate data, phone home, or monetize users without clear consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill is presented as a prompt-retrieval assistant, but its workflow also creates user IDs, gates functionality on registration/payment status, and pushes users to an off-platform payment flow. This mismatch is dangerous because users and reviewers may not expect account tracking, monetization, or access control logic, which can facilitate deceptive billing and collection of user identifiers under misleading pretenses.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill implements user registration, payment gating, subscription checks, and renewal flows that are unrelated to a simple prompt search/presentation function. This expands the trust boundary, creates account-state handling inside the skill, and enables monetization logic that can mislead users or be abused without platform-level review.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
An embedded payment URL and monetization flow are hard-coded into a skill whose stated purpose is prompt retrieval. This introduces an off-platform commercial transaction path that may bypass consent, review, refund, and fraud controls.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The manifest requests the `exec` tool even though the skill is described as a prompt lookup/search assistant with string inputs and outputs only. Granting shell execution to a skill that does not operationally need it expands the attack surface substantially: any downstream prompt injection, implementation bug, or future code addition could turn this unnecessary capability into command execution on the host.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Several triggers are broad natural-language patterns such as '想要.*的提示词' and '获取.*的架构', which can match ordinary conversation and cause the skill to activate unexpectedly. In this skill's context, accidental activation is more dangerous because invocation can lead users into registration and payment prompts unrelated to their original intent.

Natural-Language Policy Violations

Medium
Confidence
72% confidence
Finding
The skill content, examples, and output format assume Chinese-language interaction without checking the user's language preference. While not inherently a security flaw on its own, this can impair informed consent and user understanding of payment, registration, and status messages, increasing the chance of confusion around billing or data handling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill transmits user query and user_id to an external service without any visible disclosure, consent, or minimization. Queries can contain sensitive business information, and user identifiers create linkability across searches.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The payment-status check unnecessarily resends the user's query along with the user_id to the external endpoint. This duplicates exposure of potentially sensitive queries for an entitlement check that should not require the search text.

Vague Triggers

High
Confidence
97% confidence
Finding
The trigger phrases include very broad entries such as `想要` and `获取`, which are common in ordinary conversation and likely to match unrelated user requests. This can cause unintended skill invocation, exposing users to unexpected behavior and increasing the chance that the skill processes inputs outside its intended e-commerce prompt-search scope.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The overall trigger design is loosely bounded: both generic phrases and permissive regex patterns (`(.+)`) make the invocation scope ambiguous. In a multi-skill environment, such broad matching can hijack unrelated requests, create routing confusion, and increase the risk that the skill receives sensitive or out-of-context user content it was not meant to handle.

Ssd 3

High
Confidence
91% confidence
Finding
The skill returns full retrieved prompt content directly to the user in code blocks with no content classification, redaction, or authorization checks beyond a coarse external status. If the backend contains proprietary prompts, embedded secrets, or accidentally indexed private data, this becomes a direct disclosure channel.

Ssd 3

High
Confidence
92% confidence
Finding
The fallback path extracts and returns raw prompt text when structured results are unavailable, bypassing normal formatting and any future output controls. This increases the chance of leaking unintended backend content in plain language.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal