ClawHub

卖家之家(跨境电商)技能商城(skillhub/clawhub/搜技能/热门技能/免费技能/付费技能)

Security checks across malware telemetry and agentic risk

Overview

This skill is an instruction-only MJZJ SkillHub integration whose external API calls and API key use match its disclosed marketplace search, cover upload, and skill submission purpose.

Install this only if you intend to use MJZJ SkillHub. Configure MJZJ_API_KEY only for authenticated publishing or cover uploads, avoid submitting sensitive files as cover images, and review all skill submission details and returned install guidance before sending or following it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

External Transmission

Medium
Category
Data Exfiltration
Content
自定义封面时,先申请上传临时文件:

```bash
curl -X POST "https://data.mjzj.com/api/common/applyUploadTempFile" \
  -H "Authorization: Bearer $MJZJ_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
81% confidence
Finding
https://data.mjzj.com/

External Transmission

Medium
Category
Data Exfiltration
Content
然后把返回的 `path` 作为 `coverFile` 提交:

```bash
curl -X POST "https://data.mjzj.com/api/skillManage/applyNew" \
  -H "Authorization: Bearer $MJZJ_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
79% confidence
Finding
https://data.mjzj.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal