ClawHub

Ehunt Shopify Store Query

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed LinkFox/EHunt Shopify store lookup tool, with expected external API use and local response-saving helpers that users should handle carefully.

Install only if you are comfortable using a LinkFox API key and sending Shopify search/filter terms to LinkFox. If you use the large-response helper, choose a temporary directory, do not commit the saved files, and delete them after use because results may include business-sensitive data or contact information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger scope is very broad: it fires not only for EHunt-specific store-query requests but for generic Shopify store discovery, competitor analysis, advertising, and performance-analysis language, even when EHunt is not mentioned. Overbroad activation can route unrelated user requests into a tool-backed workflow that performs network access and data handling the user did not clearly intend.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly instructs use of an API key and sending query parameters to an external gateway, but does not warn that user-supplied business search terms and filtering data will leave the local environment. In an agent setting, that omission can cause operators or downstream systems to transmit potentially sensitive research targets or customer data to a third-party service without informed consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The Feedback API section sends content to a separate external base URL but does not disclose privacy implications or warn against including sensitive user information in feedback text. This creates a risk that conversation details, user intent, or operational data could be forwarded to another service unexpectedly, increasing data exposure beyond the primary tool gateway.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The wrapper always writes full subprocess stdout to disk, even when the output may contain API responses, tokens, PII, or other sensitive business data. In an agent skill context that handles external service responses, this creates a durable local data exposure surface and may leak secrets to other users, logs, backups, or later tooling that reads the files.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal