ClawHub
Back to skill

Security audit

Affiliate Marketing Auto

Security checks across malware telemetry and agentic risk

Overview

This affiliate marketing skill is coherent overall, but it should be reviewed because its click tracking records raw visitor metadata without clear privacy controls.

Review before installing or deploying. Treat the product and revenue outputs as demo-grade unless the publisher documents real integrations. Do not deploy the click tracker on public traffic until you add a privacy notice or consent basis, minimize or anonymize IP/user-agent/referrer/location data, and define retention and deletion controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The example explicitly records click-tracking metadata including IP address, user agent, and referrer, which are personal or potentially identifying data in many jurisdictions. Even though this is demo code, it normalizes privacy-sensitive collection without notice, consent, minimization, or retention guidance, making downstream misuse or noncompliant deployment more likely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The module records and retains IP address, user agent, referrer, and location data for every click, which are privacy-sensitive identifiers and can constitute personal data under many privacy regimes. In this skill context, a link tracker is specifically designed to profile user traffic, so collecting this data without any consent flow, minimization, retention controls, or disclosure increases privacy and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal