ClawHub

Buck Mason Stylist Skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Buck Mason shopping skill, but it deserves Review because it can handle purchases, account tokens, personal photos, public lookbooks, and vote data.

Install only if you are comfortable with a shopping agent that can use personal profile data, generate and publish try-on lookbooks, and potentially complete purchases. Keep profile.md minimal, avoid saving JWTs when order-code lookup is enough, do not enable @stripe/link-cli or auto-publishing unless you want those workflows, and use --no-voting or local-only output for private lookbooks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (39)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if dst.exists() and dst.stat().st_size > 0:
        return
    tmp = dst.with_suffix(".tmp")
    subprocess.run(["curl", "-sSL", "-o", str(tmp), src_url], check=True)
    img = Image.open(tmp).convert("RGB")
    h = round(w * 4 / 3)
    ratio = max(w / img.width, h / img.height)
Confidence
93% confidence
Finding
subprocess.run(["curl", "-sSL", "-o", str(tmp), src_url], check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
dst = OUT / f"{look_id}.jpg"
        if not dst.exists():
            tmp = dst.with_suffix(".tmp")
            subprocess.run(["curl", "-sSL", "-o", str(tmp), src_url], check=True)
            web_jpeg(tmp, dst, max_w=1200)
            tmp.unlink()
        look_hero[look_id] = dst.name
Confidence
94% confidence
Finding
subprocess.run(["curl", "-sSL", "-o", str(tmp), src_url], check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
base = args.url if args.url.endswith("/") else args.url + "/"

    def head(url):
        r = subprocess.run(["curl", "-sIL", "--max-time", "15", url], capture_output=True, text=True)
        return r.stdout

    def get(url):
Confidence
93% confidence
Finding
r = subprocess.run(["curl", "-sIL", "--max-time", "15", url], capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return r.stdout

    def get(url):
        r = subprocess.run(["curl", "-sSL", "--max-time", "15", url], capture_output=True, text=True)
        return r.stdout

    # D1
Confidence
93% confidence
Finding
r = subprocess.run(["curl", "-sSL", "--max-time", "15", url], capture_output=True, text=True)

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Programmatic inbox access to retrieve magic links is broader than necessary for a shopping assistant and can expose unrelated email contents if misused or over-scoped. Even though the text says to prefer paste-back and requires authorization, enabling inbox-reading materially expands the skill from commerce assistance into account-access tooling.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
Persistently storing customer JWTs for reuse creates a durable account-access token in local profile storage, increasing the blast radius of workspace compromise, accidental disclosure, or reuse by unrelated sessions. Because the JWT enables order history and account-related actions, long-lived storage turns a temporary login into standing access to customer data.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The document expands the skill from shopping/styling into returns and order-tracking flows, including access paths to customer order history and return operations. That broadens the agent’s reachable data and actions beyond the manifest’s stated purpose, increasing privacy and misuse risk if the agent uses these endpoints without a narrowly scoped user request and consent.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The guidance explicitly recommends using the customer’s full order history to seed a wardrobe profile, which encourages collection and secondary use of personal purchase data beyond what is necessary for a styling interaction. This creates a privacy overreach risk, especially because historical orders can reveal sensitive preferences, sizes, and behavior across a year of purchases.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The document directs the agent to enumerate local tooling and authenticated status across multiple third-party hosting providers to decide where it can publish files. Even without exfiltrating secrets directly, this is unnecessary environment and account reconnaissance for a shopping/styling skill and could reveal sensitive capability information or trigger unintended use of customer-linked cloud accounts for public hosting.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The probe script explicitly tests authenticated identities and credentials for Cloudflare, Netlify, Vercel, GitHub, and AWS using commands such as whoami, auth status, and sts get-caller-identity. In the context of a retail stylist skill, this is overbroad credential discovery unrelated to core functionality and creates a path for the agent to leverage whatever privileged accounts happen to be configured on the machine to publish public artifacts.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This section enables fully agent-driven checkout via a local payment CLI, expanding the skill from recommendation into purchase execution with real financial consequences. In a stylist skill, invoking a local payment tool and clearing a payment challenge is materially more dangerous because prompt injection, confused-deputy behavior, or weak consent handling could turn a shopping suggestion flow into unauthorized spending.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The design stores voter IP addresses and user agents in KV and later exposes full vote history via the tally endpoint, even though that data is not necessary for basic thumbs/comment feedback. This creates unnecessary personal-data collection and retention risk, and if the tally URL leaks, third parties can access identifying metadata about voters.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This script adds a feedback/voting collection feature and associated backend integration that is not part of the stated Buck Mason shopping/checkout capability set. Expanding a shopping skill to collect behavioral feedback and send it to an API increases data collection and attack surface without clear necessity, which is especially risky in an agent context where users may not expect this secondary processing.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The injected form collects a user-identifying name plus free-form comments and transmits them to /api/vote. Free-form comments can contain sensitive personal data, and the name field directly identifies the user; for a personal shopping skill, this is unnecessary collection unless explicitly justified, disclosed, and governed.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script explicitly scans calendar event titles and descriptions for medical and therapy terms such as doctor, dentist, therapist, counseling, colonoscopy, and obgyn, then uses that inference to drive behavior. Even though the current action is to suppress lookbook generation rather than expose the data, this still constitutes processing highly sensitive health-related information that is not necessary for a clothing-shopping skill and could normalize or expand into broader profiling of private calendar content.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The profile template asks users to provision and store a Cloudflare KV namespace identifier for 'lookbook voting,' which is unrelated to the core personal-shopping function and expands the skill's operational scope into external infrastructure management. This increases attack surface and may trick users into granting the agent access to cloud resources it does not need, enabling misuse of external services or persistence beyond the shopping workflow.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The template normalizes persistent storage of payment-related preferences and directs the agent to use external link-cli tooling and Stripe Link wallet flows, which goes beyond simple apparel recommendations into payment orchestration. Even though it warns against storing full card data, it still encourages handling sensitive payment context in a persistent workspace, raising the risk of unauthorized purchases, wallet misuse, or exposure of financial metadata if the workspace or agent is compromised.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file implements a generic unauthenticated voting endpoint that is unrelated to the stated Buck Mason personal shopping/stylist functionality. The mismatch is dangerous because it introduces an undocumented data-collection and write capability into the skill, increasing attack surface and enabling abuse such as spam voting, reputation manipulation, or covert telemetry collection under a shopping-oriented skill context.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code stores client IP address and user-agent alongside submitted content even though that collection is not necessary for the described stylist/shopping purpose. In this context, hidden retention of network and device metadata creates privacy and compliance risk, and it becomes more suspicious because the surrounding feature itself is not aligned with the declared skill behavior.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This endpoint returns the full raw vote list, including per-voter identifiers, comments, timestamps, and item/look preferences, with no authentication or authorization check. Relying on an unlinked or hard-to-guess URL as the only protection is not real access control, so anyone who obtains or guesses the URL can access potentially sensitive preference and identity data.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The comment explicitly states that the URL itself is the shared secret, but the implementation performs no validation of any secret, token, or authenticated identity. This creates a false sense of security and can lead operators to expose a sensitive endpoint under the mistaken belief that it is protected.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README states that the skill sends user reference photos to OpenAI's image editing endpoint for virtual try-on, but it does not present a clear user-facing privacy notice, consent flow, or data-handling warning. Because photos and profile attributes can be sensitive biometric or personal data, transmitting them to a third party without explicit disclosure increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README says hosted HTML lookbooks with partner voting are enabled by default, but it does not clearly warn that generated outfit images of the user may be published to external hosting and viewed by others. This creates a real privacy exposure because personal likeness and style data may be disclosed outside the local agent environment without prominent informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This section documents authenticated and guest order-history access patterns and then promotes reusing purchased-item data for wardrobe seeding without a clear warning about consent, minimization, or purpose limitation. In a consumer-facing shopping skill, that omission materially raises the chance the agent will access and repurpose account/order data in ways the user does not expect.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The example initiates checkout by collecting and transmitting buyer PII (name, email, phone, full address) and then proceeding to payment-link approval, but the markdown does not instruct the agent to obtain explicit consent or warn the user before sending that data to the backend. In a shopping skill that reuses profile data across requests, this omission increases the risk of silent disclosure of sensitive personal information and accidental checkout initiation.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal