ClawHub

Brand Protection Walmart

Security checks across malware telemetry and agentic risk

Overview

This skill is advertised for Walmart brand protection but its working templates and action plans repeatedly target Amazon, which could mislead users in a seller enforcement workflow.

Install or use this only after careful review. Treat all generated complaint and legal-style text as drafts, verify the marketplace, policy references, seller identifiers, evidence, and legal wording before sending anything, and do not rely on it as Walmart-ready without rewriting the Amazon-specific parts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The code and generated action plan are explicitly Amazon-focused while the skill is advertised as a Walmart brand protection toolkit. This mismatch can mislead users into filing complaints in the wrong platform, making incorrect enforcement decisions, or exposing sensitive seller/brand data to an unintended third party. In a security context, deceptive capability/target mismatches are dangerous because downstream automation or user trust may rely on the stated platform scope.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The module header claims image theft detection and risk evaluation features that are not actually implemented. This can cause operators or higher-level agents to assume protections exist when they do not, leading to missed abuse cases and unsafe business decisions based on incomplete detection coverage. In security-sensitive tooling, overstated detection capabilities reduce trust and create blind spots.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata claims a Walmart brand-protection toolkit, but these templates direct users to Amazon Brand Registry and Amazon-specific complaint workflows. This mismatch can mislead operators into taking actions on the wrong platform, submitting incorrect complaints, or disclosing sensitive enforcement details to an unintended service, which is especially risky in a legal/compliance workflow.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The cease-and-desist and test-buy guidance are framed around Amazon marketplace processes despite the skill being presented as Walmart-focused. In a brand-protection context, inaccurate enforcement guidance can cause improper legal notices, wasted investigation effort, and operational mistakes that undermine evidence collection or compliance actions.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The additional non-English templates repeat the same Amazon-specific workflow mismatch, extending the problem to another language path. This increases the blast radius because multilingual users may rely on these templates for real enforcement actions and be misdirected just as easily, with less chance of noticing platform inconsistencies.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal