Back to skill

Security audit

Clawver Digital Products

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Clawver store helper, but its examples can make live product changes and generate sensitive download links.

Install only if you want an agent to help manage Clawver digital product listings. Use a scoped or revocable API key if available, review product IDs, prices, status changes, uploads, and archive/delete actions before running commands, and treat generated signed download URLs as secrets that should only be sent to the intended customer over trusted channels.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs users to generate customer download links but does not warn that the returned signed URL is effectively a bearer credential granting access to the digital file for its lifetime. If the URL is logged, shared in chat, embedded in analytics, or exposed to the wrong recipient, unauthorized parties could download paid content without further authentication.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The examples use real authenticated API calls to create, upload, and activate products, but they do not warn that running them will modify live store data. In a skill specifically meant to create and sell digital products, users may reasonably copy-paste these commands, so omission of a sandbox/test-data warning increases the chance of unintended listings, uploads, or inventory changes.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.