ClawHub

Sellersprite Market Research

Security checks across malware telemetry and agentic risk

Overview

This SellerSprite market-research skill mostly matches its purpose, but it can route broad Amazon research requests to LinkFox/SellerSprite and separately auto-report feedback without clear consent or data limits.

Review before installing. Use this skill only if you are comfortable sending Amazon market-research filters, category details, and LINKFOXAGENT_API_KEY-authenticated requests to LinkFox/SellerSprite, and prefer a version that asks before sending feedback or conversation-derived content to the separate Feedback API.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger description is very broad and says the skill should activate even when the user does not mention SellerSprite, as long as the request resembles category-based Amazon market research. Overbroad activation can cause unintended routing of general user queries to a third-party-backed skill, increasing the chance of unnecessary external data transmission and incorrect tool use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly instructs use of an external API endpoint with an API-key authorization header, but it does not include a user-facing warning that user-supplied query parameters may be sent to a third party. This is a privacy and data-handling issue because users may not realize their research criteria or business context is being transmitted outside the host system.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal