ClawHub

Supply Chain Optimization Walmart

Security checks across malware telemetry and agentic risk

Overview

This appears to be a local calculator, but its Walmart-focused business analysis uses Amazon/FBA assumptions that could mislead seller decisions.

Review the formulas before relying on this for Walmart decisions. It is not showing malicious behavior, but its platform assumptions and labels should be fixed or manually adjusted, especially payment-cycle and WFS fee handling. Verify the GitHub source before global installation and treat any Walmart API credentials as sensitive if you choose to use authenticated workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is advertised as Walmart-focused, but the data model and calculations are heavily Amazon/FBA-centric, including field names like `fba_fee` and default platform behavior set to Amazon. This can mislead users into making business decisions using the wrong fee model and assumptions, which is a real integrity issue for a financial-analysis skill even though it is not a traditional code-execution flaw.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The cash-cycle calculation hardcodes a 14-day Amazon payment-cycle assumption while presenting platform-specific benchmarking for Walmart, TikTok, and Shopify. In a supply-chain and cash-flow decision tool, this can materially distort working-capital analysis and recommendations, making it a genuine integrity vulnerability in the skill's business logic.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal