ClawHub

eBay Account Automation

Security checks across malware telemetry and agentic risk

Overview

This skill appears to automate live eBay seller-account behavior, including account-state changes, with insufficient guardrails for a marketplace account workflow.

Review carefully before installing. Only use this with accounts you own or are explicitly authorized to operate, assume it may violate eBay or marketplace rules, keep ADS Power credentials out of source control, and avoid enabling any watchlist/cart actions unless you have explicit account-level approval and understand the suspension or business impact risk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The instructions direct users to store an ADS Power API key in a local config file without any warning about secret handling, leakage, or accidental exposure. Even if gitignored, plaintext local secrets are commonly copied, logged, or committed by mistake, and this key enables control over the local ADS Power automation environment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly describes automating eBay seller-account activity to simulate real user behavior, including favoriting items and adding them to cart. These are account-state-changing actions on a third-party platform and, in this context, are presented as a mechanism to 'maintain account activity,' which materially increases the risk of deceptive automation, policy violations, and account compromise or suspension without adequate warning or consent controls.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The README instructs users to place an ADS Power API key in a local config file or environment variables but provides no guidance on protecting, scoping, or excluding those credentials from source control and logs. In a browser-automation skill that can enumerate and launch account sessions, exposed API credentials could allow unauthorized control over multiple managed accounts and associated browser profiles.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This code automates eBay account activity including searches, watchlist additions, and add-to-cart actions without any user confirmation, visibility, or policy guardrails. In the context of a seller-account automation skill explicitly designed to simulate activity cycles, this is dangerous because it can perform unauthorized marketplace interactions, manipulate engagement metrics, and expose accounts to fraud, abuse, or platform enforcement.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The logger persistently writes account names, run metadata, and raw error messages to disk in a daily log file. In the context of an eBay account automation skill, these logs can expose seller identifiers and potentially sensitive operational details or exception contents to anyone with local filesystem access, and there is no minimization, masking, retention control, or disclosure mechanism shown here.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal