ClawHub

Seller Profit Calculator

Security checks across malware telemetry and agentic risk

Overview

This skill is a local Excel order-profit calculator; it handles sensitive order data as part of its stated purpose, with privacy documentation gaps but no implemented hidden upload, persistence, or destructive behavior found.

Use this only with order exports you are authorized to analyze, and prefer redacted or minimal spreadsheets when possible. Treat stdout, JSON, markdown reports, and header-analysis files as sensitive because they may contain order, store, SKU, financial, or customer-related data. Avoid relying on the README's undocumented '--api' example unless a future version clearly explains what data is sent, stored, and retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to configure an API key and run the tool in a remote API mode, but it does not disclose that uploaded order exports may be transmitted off the local machine. Because order exports commonly contain sensitive business and customer data, this omission can lead users to unknowingly send confidential data to a third-party service.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly encourages uploading order exports from any platform or ERP, and such files commonly contain sensitive business data and often personal data such as customer names, addresses, phone numbers, emails, and financial details. Without a warning, minimization guidance, or handling instructions, users may expose regulated or confidential information to the agent or downstream tooling unintentionally.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script prints sample rows from uploaded Excel workbooks to stdout or writes them to JSON files without any warning, masking, or consent flow. In this skill’s context, uploaded order exports may contain sensitive commercial data or personal information, so exposing representative row contents can leak data into logs, terminals, downstream tooling, or shared files.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal