ClawHub

WPClaw Lite (WordPress/WooCommerce connector)

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward WooCommerce connector, but users should protect the store secret and be careful with customer/order data returned into chats.

Install only if you trust this skill and the WPClaw Connector plugin on your WordPress site. Store WPCLAW_STORE_SECRET in a protected secrets mechanism, do not paste it into chats or commit it to source control, rotate it if exposed, and remember that order lookups may put customer/order details into agent responses or logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill declares required environment variables, including a store secret, but does not declare permissions or otherwise make the capability explicit in a structured way. This creates a transparency and review gap: users or platform policy checks may not clearly see that the skill depends on sensitive configuration, increasing the chance of unsafe deployment or unintended secret exposure through downstream tooling.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to configure a long-lived store secret and highlights access to order and customer information, but it does not warn that these are sensitive credentials and data. This increases the chance that operators will mishandle the secret, expose it in logs or repos, or allow broad agent access to personally identifiable customer/order data without appropriate safeguards.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill instructs users to provide a secret credential but gives no warning about secure handling, rotation, or avoiding disclosure in prompts, logs, or outputs. In a connector skill that interfaces with an external store, this omission increases the risk of accidental credential leakage or misuse by operators who may treat the value as ordinary configuration.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal