ClawHub

test-vip

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only product search helper with expected network lookup behavior, but it is incomplete and should be used only after reviewing the missing helper script and referenced consultant skill.

Before installing, confirm you trust and have inspected the missing query_search_products.py script and the vipshop-product-consultant skill it calls. Avoid using sensitive personal search terms unless you are comfortable with those terms being sent to an external shopping search service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
82% confidence
Finding
The invocation condition is overly broad: it says to call the skill whenever users have shopping-related requests in several common categories. That can cause unintended activation on ordinary user queries, increasing the chance that user search terms are sent to external services without clear user intent or consent, especially since the skill performs direct HTTP requests and nested concurrent calls.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly states it uses direct HTTP calls for search but does not disclose that user-provided keywords will be transmitted over the network to third-party services. In a shopping context, search terms can reveal sensitive preferences or personal circumstances (for example, pregnancy, infant products, or medical-adjacent items), so lack of transparency creates a privacy and consent risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal