ClawHub

Auction Bidding Strategist

Security checks across malware telemetry and agentic risk

Overview

This auction-bidding skill does not appear malicious, but its high-stakes financial guidance has enough scope and accuracy concerns to require review before use.

Review this skill carefully before installing. Use it only as an educational or planning aid, not as the sole basis for real bids, acquisitions, real-estate offers, or procurement decisions. Require qualified legal, financial, valuation, or procurement review before acting on its recommendations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest explicitly says the skill does not cover procurement auctions requiring cost estimation, yet the body includes procurement-specific bidding guidance and a worked example based on delivery cost. This scope contradiction can cause an agent to apply the skill in excluded, high-stakes contexts with misplaced confidence, increasing the chance of harmful or unsuitable recommendations.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The example mixes a standard Vickrey label with a reverse/procurement second-price mechanism where the lowest bidder wins, which is conceptually different and easy for users or downstream agents to misapply. In a decision-support skill that produces concrete bid recommendations, mislabeled auction mechanics can directly lead to selecting the wrong bidding rule and financially harmful outputs.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill provides specific, actionable bidding advice for real estate, M&A, procurement, and other financially material transactions without any requirement for legal, financial, or professional validation. Because the skill is framed as delivering the 'optimal' bid and an explicit numerical recommendation, users may over-trust it in contexts involving large sums, regulatory constraints, fiduciary duties, and incomplete information.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal