ClawHub
Back to skill

Security audit

Nex Pricewatch

Security checks across malware telemetry and agentic risk

Overview

This skill is a local price-monitoring tool with optional Telegram alerts, and the reviewed behavior matches that purpose.

Install only if you are comfortable storing monitored pricing data locally. Leave Telegram disabled for sensitive competitor or supplier monitoring, because enabling it can send alert details to Telegram. Review the URLs you configure and avoid monitoring private or unauthorized endpoints.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The Telegram setup instructions encourage sending alert information to a third-party service without clearly warning that monitored pricing and metadata may leave the local machine. For a tool advertised as local-first, this can cause unintended data disclosure, especially if targets include commercially sensitive competitor or supplier pricing.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrase list is extremely broad and includes common words like 'price', 'monitor', and 'competitor', which can cause the skill to activate in contexts where the user did not intend competitive web scraping or price monitoring. Over-broad activation increases the chance an agent will invoke networked monitoring behavior unexpectedly, creating privacy, consent, and unintended-action risks.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
When --telegram is used, the tool transmits alert content about monitored targets over the network without clearly warning the user at the point of action what data will be sent externally. In a business monitoring context, target names, pricing changes, and competitor information may be commercially sensitive, so undisclosed outbound transmission increases confidentiality risk.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal