ClawHub

/add-wish — Universal Add to Wishlist

Security checks across malware telemetry and agentic risk

Overview

This skill only helps create a Wishfinity add-to-wishlist link, with no evidence of hidden commands, local file access, or automatic network activity.

Install this if you are comfortable with the agent offering Wishfinity links during shopping tasks. Before clicking a generated link, remember that the product URL and related shopping metadata may be sent to and stored by Wishfinity.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger guidance is broad enough to fire on many ordinary shopping utterances, including ambiguous phrases like 'I like that one,' 'remember this,' or even 'add to cart' being redirected into a third-party wishlist flow. This can cause unintended invocation and silently steer users into sharing product URLs and shopping intent with Wishfinity without sufficiently explicit consent, which is more concerning because the skill is designed for proactive offering in common shopping conversations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill states that Wishfinity extracts and stores the product title, description, images, and latest price, but it does not present this as a clear up-front privacy and data-sharing warning before use. Users may click the generated link without understanding that their product URL, shopping interests, and enriched metadata will be transmitted to and retained by a third party, creating privacy and consent risks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal