ClawHub

Autonomous Commerce

Security checks across malware telemetry and agentic risk

Overview

The skill openly performs real purchases, but it requests high-impact account, payment, wallet, and escrow authority without consistently enforced consent, proof, storage, and network boundaries.

Install only after careful review and only if you intentionally want an agent capable of placing real orders. Use a dedicated shopping account, isolated browser profile, low-limit payment method, low-balance wallet, strict merchant and budget limits, and require manual approval immediately before every checkout; delete saved sessions, screenshots, and proof files after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The example escrow code uses a wallet private key from environment variables, which introduces direct secret-handling and signing capability not reflected in the skill's high-level safety promises. In the context of autonomous commerce and escrow release, compromise or misuse of that key could allow unauthorized fund movements, fraudulent escrow creation/release, or broader wallet compromise.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The stated network policy says only retailer domains are allowed, yet the documented design depends on external escrow communication. This contradiction is dangerous because it creates false security expectations: either the skill cannot function as described, or it requires broader network egress than disclosed, weakening containment and making external data transfer or fund operations easier than users expect.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The function claims to verify cryptographic proof before releasing escrow, but it only validates that the proof string has a hex-like format and that orderData contains a couple of fields. In an autonomous commerce skill that controls real funds, this allows escrow release without establishing that the proof is authentic, bound to the specific order, or even derived from the supplied order data, enabling fraudulent payout or accidental release.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
This check only enforces superficial formatting of a supposed proof hash and does not verify authenticity, integrity, or correspondence to the purchase being settled. In this skill's context, where escrow release is the security boundary for real-world purchases, accepting any well-formed 66-character hex string materially undermines the escrow protection claim.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README promotes autonomous real-world purchasing and checkout, but it does not require an explicit human confirmation step or prominently warn about financial consequences before execution. In a skill designed to place real orders using saved payment methods and addresses, this omission materially increases the risk of unauthorized or accidental purchases, especially if an integrating agent treats the examples as safe defaults.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The setup example uses a wallet private key from an environment variable for escrow operations, but the README provides no guidance on secure key handling, storage, rotation, least privilege, or use of a dedicated low-balance wallet. Because this skill controls real funds and purchases, weak operational guidance around secret management can lead to wallet compromise or misuse if developers copy the example without additional safeguards.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill enables autonomous checkout using saved payment methods and addresses but does not present a prominent explicit warning about placing real-world orders and charging existing payment instruments. In this context, omission of that warning is dangerous because it increases the chance of uninformed consent, accidental purchases, and unsafe invocation by downstream agents or users who interpret the skill as mere research assistance.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script reuses a persistent authenticated browser profile to access Amazon and proceed through checkout, enabling purchases with whatever saved credentials, addresses, and payment methods are already present. In an autonomous-commerce skill, this is especially dangerous because session theft, misuse by another local process/user, or accidental execution can directly trigger real-world financial transactions without strong re-authentication or scoped consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code stores screenshots of home, search, cart, checkout, and confirmation pages, then writes a proof.json file to /tmp containing order details and references to those screenshots. These artifacts can expose account information, addresses, order IDs, product history, and possibly partial payment or checkout metadata to other local users, processes, backups, or logs, especially because /tmp is a shared and often weakly controlled location.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The package description advertises broad autonomous commerce capability in a way that can act as an invocation trigger for real-world purchasing behavior without clearly constraining when it should be used. In a skill that can make purchases, ambiguous metadata increases the chance of accidental activation or misuse, which can lead to unauthorized transactions or unintended account actions.

Missing User Warnings

High
Confidence
95% confidence
Finding
The manifest describes autonomous purchasing and claims proven real-world commerce capability, but it does not present any prominent warning about financial transactions, account use, or irreversible real-world effects. In this context, omission of such warnings is dangerous because users or orchestrators may invoke the skill without understanding that it can spend funds or place orders on external accounts.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The manifest description explicitly advertises autonomous real-world purchasing capability but does not state any hard invocation boundaries, approval gates, or requirement for per-purchase user confirmation. In an agent ecosystem, broad natural-language claims like this can cause the skill to be selected or invoked for purchase flows without sufficiently explicit user consent, increasing the risk of unauthorized transactions.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The description says the skill will 'Execute real-world e-commerce purchases autonomously,' which implies the agent may complete purchases without an explicit opt-in step for each order. Because this is a commerce skill tied to saved payment methods and shipping addresses, ambiguous opt-in language is especially dangerous: a coordinating agent may interpret this as permission to place actual orders once budget and escrow conditions appear satisfied.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal