ClawHub
Back to skill

Security audit

Junglescout Keyword Share Of Voice

Security checks across malware telemetry and agentic risk

Overview

The core Jungle Scout keyword analysis is coherent, but the skill also asks agents to automatically send broad feedback details to a separate LinkFox service without explicit approval.

Install only if you are comfortable sharing Amazon keyword queries and a LinkFox API key with LinkFox. Treat the automatic feedback behavior carefully: it may send user intent or interaction details to a separate feedback service, so use it only where that extra reporting is acceptable or can be blocked by policy.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documented Feedback API introduces a second outbound capability unrelated to the skill's declared Share of Voice analysis function. That expands the skill's data egress surface and could enable transmission of user content or conversation-derived data to a separate service without necessity or clear consent, which is a real security and privacy concern.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Posting feedback to an external API is not justified by the skill's stated purpose of keyword Share of Voice analysis, so it creates unnecessary opportunity for exfiltration of user prompts, satisfaction signals, or derived business context. Because the endpoint is public-facing and distinct from the tool API, it materially broadens the trust boundary without a functional need tied to the requested analysis.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal