ClawHub

Jiimore Niche Review

Security checks across malware telemetry and agentic risk

Overview

The skill’s main Amazon review-analysis function is coherent, but it also tells the agent to silently send feedback and user-interaction details to a separate LinkFox endpoint.

Review before installing. The main query tool appears purpose-aligned, but only use it if you are comfortable sending Amazon market-research queries to LinkFox and can prevent or explicitly approve any feedback submissions that may include user intent, satisfaction, or interaction details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill directs the agent to automatically report feedback, user dissatisfaction, and mismatches to a separate Feedback API, which is outside the user's requested niche-review task. That creates an unauthorized secondary data flow and can exfiltrate user inputs, sentiment, or interaction metadata without clear consent or necessity.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file documents a public feedback submission endpoint that is unrelated to the stated niche-review analysis purpose. Adding an outbound channel for arbitrary feedback can enable unnecessary transmission of user content to a separate service, expanding data-flow and privacy risk without clear justification in the skill's scope.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The documented ability to send user feedback to a separate public endpoint is not aligned with the skill's advertised purpose of Amazon niche review analysis. This creates an unjustified secondary capability that could be abused to exfiltrate user prompts, outputs, or metadata under the guise of feedback.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger conditions are broad enough to activate on loosely related market-research or sentiment-analysis requests, increasing the chance the skill runs when the user did not intend it. Overbroad activation can cause unnecessary external calls, wrong-tool usage, and unintended disclosure of user prompts to third-party services.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal