ClawHub

Obtain Coupons All In One 全平台优惠券助手-外卖、快递、出行、电影票一站式获取

Security checks across malware telemetry and agentic risk

Overview

This coupon skill uses disclosed external coupon APIs and returns coupon links or QR codes, with no evidence of hidden credential access, persistence, or destructive behavior.

Install only if you are comfortable with a coupon skill querying third-party coupon services and showing third-party links or QR codes. Verify destinations before opening or scanning them, and avoid entering account, payment, or personal information unless you confirm you are on the intended platform.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad enough to match ordinary conversation about discounts, causing the skill to activate unexpectedly and send requests to external coupon services without clear user intent. That can lead to unnecessary third-party data exposure, confusing behavior, and accidental invocation of a networked skill in unrelated chats.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The overview explains functionality but does not clearly warn users that requests are sent to third-party coupon APIs and that request metadata or query context may be exposed externally. In a skill that aggregates multiple providers, this omission reduces informed consent and increases privacy risk, especially if invoked on vague prompts.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The skill repeatedly directs users to open links or scan QR codes with WeChat, which nudges users toward a specific external app and browsing context without explaining why that is necessary or offering neutral alternatives. This can create unnecessary dependence on a third-party platform and may route users through tracking or less transparent link-handling flows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal