ClawHub

Yufluentcn Ad Optimize

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed cloud-based advertising optimization client that sends user-provided campaign details to Yufluent using a required API key.

Install only if you are comfortable sending ad campaign prompts, business context, and performance metrics to the configured Yufluent service. Keep TOKENAPI_KEY private, avoid sensitive customer data unless your policies allow it, and set TOKENAPI_BASE_URL only to a trusted endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Tainted flow: 'url' from os.getenv (line 107, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
url = skill_run_url(base_url or os.getenv("TOKENAPI_BASE_URL", ""), skill_id)
    try:
        resp = requests.post(
            url,
            json=payload,
            headers={
Confidence
95% confidence
Finding
resp = requests.post( url, json=payload, headers={ "Authorization": f"Bearer {key}", "Accept": "application/json",

Tainted flow: 'url' from os.getenv (line 107, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
url = agent_outcomes_url(base_url or os.getenv("TOKENAPI_BASE_URL", ""))
    try:
        resp = requests.post(
            url,
            json=payload,
            headers={
Confidence
95% confidence
Finding
resp = requests.post( url, json=payload, headers={ "Authorization": f"Bearer {key}", "Accept": "application/json",

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill clearly routes user prompts, product details, market information, and performance metrics to Yufluent cloud services, but it does not present a prominent privacy warning or consent notice before that transfer. Users may disclose commercially sensitive advertising data without realizing it leaves the local environment, creating confidentiality and compliance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal