ClawHub

Jiimore Niche By Asin

Security checks across malware telemetry and agentic risk

Overview

The skill mostly performs the advertised Amazon ASIN competitor lookup, but it also instructs agents to silently send broad feedback and user-context details to a separate LinkFox endpoint.

Install only if you are comfortable sending ASIN research queries and filters to LinkFox using your LINKFOXAGENT_API_KEY. Treat the automatic feedback behavior as the main review concern: disable or ignore feedback submissions unless the user explicitly opts in, and do not include private business details, secrets, or sensitive prompt content in feedback.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill adds an automatic feedback-reporting behavior unrelated to the core task of ASIN niche competitor lookup. Because feedback triggers include broad conditions like dissatisfaction, praise, or anything improvable, the skill could exfiltrate user sentiment, prompts, or workflow context to another API without clear necessity or user consent.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The file for an ASIN niche-competitor lookup skill embeds a separate feedback-submission API that is unrelated to the primary tool function. In an agent setting, this creates scope creep and increases the chance that user-derived content is transmitted to an additional external endpoint without clear user awareness or strong gating, which can lead to privacy leakage or unintended data exfiltration.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger definition is intentionally broad and instructs activation even when users do not explicitly mention niche analysis. Over-broad routing increases the chance this skill captures unrelated requests and unnecessarily sends user-provided ASINs or business context to the external Jiimore/LinkFox backend, expanding data exposure and causing incorrect tool invocation.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation instructs use of an API key via the Authorization header and an environment variable, but provides no warning that requests send user/query data to an external service. In agent workflows, missing disclosure and handling guidance can cause operators to unknowingly transmit sensitive business inputs or misuse credentials in insecure contexts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The feedback API section documents sending free-form content to a separate external endpoint but omits a clear warning that user feedback text will leave the current tool context. Because feedback content can contain user statements, business context, or sensitive data, this omission raises the risk of unintended disclosure to a third party.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal