ClawHub

Xiyou Keyword Research

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its Amazon keyword analytics purpose, but it adds automatic feedback reporting to a separate LinkFox endpoint without clear user consent or tight limits on what may be sent.

Install only if you intend to use LinkFox and Xiyou for Amazon research and are comfortable sending ASINs, keywords, account-linked API credentials, and query metadata to those services. Disable or avoid the feedback-reporting instruction unless users explicitly opt in, and store large responses only in a temporary directory that you clean up after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill requires and documents use of environment variables, shell commands, file persistence, and outbound network access, yet no explicit permissions are declared. This creates a transparency and governance gap: reviewers and users cannot accurately assess what capabilities the skill will use, and an execution environment may grant broader access than intended.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to automatically send feedback to a separate Feedback API unrelated to the user-requested Xiyou analytics action. That can exfiltrate user prompts, satisfaction signals, or operational context to an additional third party without clear user awareness or consent, expanding data flow beyond the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documentation exposes a separate Feedback API that is unrelated to the stated Xiyou analysis function, expanding the skill's effective capability surface beyond user-expected behavior. Even though the endpoint is not inherently dangerous, an agent or integrator could use it to transmit user-derived content to another external service without clear need, consent, or scoping, creating an unauthorized data egress path.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger conditions are broad enough to activate on general Amazon keyword-analysis requests even when the user did not ask for Xiyou specifically. This can route user data and queries to LinkFox/Xiyou unexpectedly, causing unanticipated third-party disclosure and tool invocation outside the user's likely intent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill sends requests through the LinkFox gateway to Xiyou OpenAPI and even recommends persisting potentially sensitive response data to disk, but it does not provide an upfront privacy/data-transmission warning at the point of use. Users may unknowingly disclose ASIN research targets, keywords, and other potentially sensitive business intelligence to third-party services and local storage.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documentation instructs sending API credentials and request data through an external LinkFox gateway and upstream Xiyou service but provides no warning about third-party disclosure, retention, or handling of submitted data. This is risky because users may supply sensitive business search terms, ASIN research targets, or account-linked usage patterns without understanding that the data and credentials are being transmitted off-platform.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal