ClawHub

Trading Card Analysis & eBay Listing Specialist

Security checks across malware telemetry and agentic risk

Overview

This markdown-only card-selling skill is not malware, but it needs review because its templates and research guides can steer users toward unsupported investment and eBay listing claims.

Install only if you are comfortable reviewing all generated listing copy before use. Verify or remove seller status, feedback percentages, shipping promises, authentication guarantees, population counts, scarcity claims, market trends, and investment language; do not treat the portfolio or stop-loss material as financial advice, and provide eBay or PSA credentials only through trusted secret management with least-privilege access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This content materially expands the skill from card evaluation and listing support into investment advice, portfolio recommendations, avoid lists, exit strategies, and stop-loss guidance. That scope creep is dangerous because an agent using this file could provide regulated or high-stakes financial guidance to users under the guise of a collectibles assistant, increasing legal, compliance, and user-harm risk.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The continuous monitoring and weekly portfolio review sections instruct the agent to track holdings, validate investment theses, consider profit-taking, and evaluate stop-losses. In context, this turns a card-specialist skill into an ongoing investment-management workflow, which is outside the declared purpose and could steer users into consequential financial decisions based on speculative automation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The template contains strong unverifiable marketing and trust claims such as 'INVESTMENT GRADE,' 'Authentication Guarantee,' '99.8% Positive Feedback,' 'Top Rated Seller,' and specialist verification language, but it does not require the user to confirm these statements before publishing. In a listing-generation skill for eBay sales, this can directly cause deceptive or noncompliant listings, exposing users to platform enforcement, buyer disputes, chargebacks, and fraud allegations if placeholders are left inaccurate or copied verbatim.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow explicitly recommends taking a 'winning' title from an A/B test and applying it across all inventory, but it does not include safeguards such as human review, scoping limits, dry-run output, or confirmation before mass modification. In a seller-operations skill, this can cause unintended large-scale changes to live listings, leading to mislabeling, policy violations, pricing/search degradation, or business disruption if the generated title is wrong or overgeneralized.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The bulk optimization section is designed to prepare optimized titles, descriptions, and pricing for large inventories, yet it omits any caution that these outputs may be used to drive broad listing changes. In the context of an eBay listing optimization skill, that omission increases the risk that users or downstream automation will trust and apply generated changes at scale without checking accuracy, compliance, or item-specific fit.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal