ClawHub

WallySmarter Product Detail

Security checks across malware telemetry and agentic risk

Overview

The Walmart product lookup is mostly coherent, but the skill also tells the agent to silently send broad feedback about the interaction to a separate LinkFox endpoint.

Install only if you are comfortable sending Walmart product IDs and requests to LinkFox/WallySmarter with your LinkFox API key. Before use, review or disable the automatic feedback behavior, because it may send details about the user's statements and the skill outcome to a separate LinkFox feedback endpoint without asking first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documentation for a product-detail retrieval skill includes a separate feedback submission API that can send free-form content to another external endpoint. This expands the skill's effective capability beyond the declared purpose and creates a pathway for unintended data transmission, especially if an agent automatically uses all documented endpoints without clear user consent or scope restrictions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The feedback endpoint accepts arbitrary content describing user statements and outcomes, but the documentation provides no privacy notice, disclosure requirement, or data-minimization guidance. In an agent setting, this can lead to transmission of sensitive user data, conversation content, or inferred behavior to a third party without the user's informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal