ClawHub

LinkFoxAgent

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a disclosed e-commerce research integration, but it exposes live ERP mutation endpoints and caches access tokens despite presenting parts of the workflow as query/data retrieval only.

Review this skill before installing if you connect it to Lingxing ERP or sensitive commerce accounts. Use least-privilege API keys, avoid giving it credentials that can modify orders/listings/prices unless you intend that, do not upload private screenshots or documents as images, and clear local output/token files after sensitive runs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script advertises itself as a query-only Lingxing OpenAPI CLI, but its registered endpoints include state-changing operations such as setting remarks, manual price adjustments, and other operational APIs. This mismatch is dangerous because users, reviewers, or higher-level agents may invoke it under a read-only trust assumption and unintentionally modify live commerce, order, or listing data.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The comments and CLI help repeatedly frame the tool as a query interface, yet the implementation exposes mutation-capable endpoints. In an agentic environment, misleading interface descriptions are security-relevant because they weaken operator scrutiny and can cause automated systems to route sensitive write actions through a supposedly safe read-only skill.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The sample request shows realistic secret-bearing headers, including a bearer token and client identifiers, without an explicit warning that they are placeholders and must never be reused or committed. In a skill focused on API-driven Amazon Ads reporting, users may copy the example verbatim into logs, prompts, code, or shared docs, increasing the chance of credential leakage or accidental use of real-looking secrets.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document instructs operators to export Lingxing AppID/AppSecret and use them to pull live ERP data, but it does not include any privacy, least-privilege, redaction, or safe-handling guidance for credentials and returned business data. In a skill that orchestrates external tools and sub-sessions, this increases the risk that secrets are exposed in shell history, logs, transcripts, or passed to downstream tasks without clear safeguards.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger terms are very broad, including generic words such as search, web search, information query, community, posts, and public-opinion platforms. In an agentic system, this can cause accidental invocation in unrelated contexts, leading the agent to fetch external untrusted content unexpectedly and expand the attack surface for prompt injection or data-handling mistakes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script explicitly uploads a local image with the header x-oss-object-acl: public-read and then returns a public URL, but it provides no warning, confirmation, or visibility controls to help users understand that the file will be internet-accessible. In a skill that processes product images and local files, this creates a real confidentiality risk if users accidentally upload sensitive screenshots, internal product assets, or documents converted to images.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal