ClawHub
Back to skill

Security audit

Pantry Tracker

Security checks across malware telemetry and agentic risk

Overview

The skill does what it says, but it stores email-derived grocery data in Supabase while the included database setup lacks the access controls implied by its anon-key guidance.

Review before installing. Use a private Supabase project, add Row Level Security policies before using an anon key, avoid storing order IDs unless needed, and only enable the recurring email scan if you are comfortable with ongoing processing of grocery-order emails.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill uses environment variables and networked Supabase access, but no explicit permission declaration is present in the manifest. That creates a transparency and policy-enforcement gap: users and host systems may not realize the skill can transmit pantry and email-derived data to an external backend.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The activation description is broad enough to match ordinary conversation about groceries, freshness, or food waste, which can cause unintended invocation. In context, that matters because the skill can write structured data to Supabase and influence email-parsing workflows, so accidental triggering could lead to unintended data processing or storage.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to parse grocery order emails and write extracted contents into Supabase, but the user-facing description does not clearly warn that email-derived purchase data will be stored externally. This undermines informed consent and increases privacy risk, especially since grocery purchases can reveal sensitive lifestyle, health, or household information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal