ClawHub

商品比价技能

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed e-commerce price comparison helper, but its output should be double-checked because one analysis script can mislabel risk levels.

Install only if you want public e-commerce price comparison and advisory purchase guidance. Do not provide account credentials, payment information, order histories, cookies, or private shopping data. Confirm the region and platform list, ask for source links and collection time, and treat risk labels as advisory because the current script may misclassify some recommendations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
This is a real logic flaw: risk results are stored under a nested `risk_assessment` key, but downstream code reads `risk_level` as if it were top-level and falls back to the default value `中`. As a result, the skill can systematically misclassify platform risk and produce unsafe purchase recommendations, which is especially concerning because the skill’s stated purpose is risk evaluation and fraud/low-price trap avoidance.

Natural-Language Policy Violations

Low
Confidence
83% confidence
Finding
The guide explicitly states that if the user does not specify a region, the agent should default to mainland China. This can cause inaccurate price comparisons, tax/shipping assumptions, and misleading purchasing advice for users in Hong Kong, Macau, Taiwan, or overseas, especially because the skill is focused on cross-platform price and risk analysis where region materially affects availability and final cost.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal