ClawHub

Price Tracker

Security checks across malware telemetry and agentic risk

Overview

This is not malware, but it presents randomly generated demo prices as real price tracking, which could mislead buying or resale decisions.

Install only if you treat it as a demo or simulation. Do not rely on its prices, history, predictions, alerts, or arbitrage margins for purchases or resale decisions unless it is updated to use verified marketplace APIs or clearly labels all simulated outputs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script advertises retrieval and analysis of historical price data, but the implementation uses randomly generated mock values. In a price-tracking and arbitrage skill, this can mislead downstream users or agents into making financial decisions based on fabricated market history, which is a real integrity and trustworthiness issue even if it does not directly enable code execution.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The get_price_history function name and docstring imply that it fetches genuine historical prices, but it actually calls generate_mock_history to synthesize data. Because this skill is explicitly meant to identify arbitrage opportunities and profit margins, the mismatch is especially dangerous: users may trust the outputs as market evidence and incur financial loss from false trend analysis and predictions.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The description is broad enough to trigger on generic shopping, product search, competitor analysis, and pricing requests, which can cause the skill to activate outside its intended boundaries. Over-broad invocation increases the chance the agent routes unrelated user tasks into this skill, leading to unnecessary data handling, unintended automation, or use of price-tracking workflows where they are not appropriate.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal