Clawver Store Analytics

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Clawver analytics helper that uses an API key to read store metrics, with no evidence of hidden execution or destructive behavior.

Install only if you intend to let an agent query your Clawver store analytics. Use a scoped or read-only CLAW_API_KEY if available, do not paste or log the key in shared contexts, and remember the agent can retrieve revenue, order, refund, product, and review data available to that key.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill description is broad enough to trigger on generic business-analysis or sales-reporting requests, which can cause the agent to invoke this skill outside a clearly scoped Clawver-store context. That increases the chance of unnecessary access to store analytics and associated sensitive business data through the configured external API.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs use of a bearer API key against external analytics, orders, and reviews endpoints without any disclosure that store performance data and customer-related review/order information will be transmitted to a third-party service. In an agent setting, this can lead to silent exfiltration of commercially sensitive data and authenticated access being used without informed user consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal