ClawHub

Best Product

Security checks across malware telemetry and agentic risk

Overview

This shopping helper is purpose-aligned and disclosed: it searches public product sources, creates Google product-search links, and caches recent non-personal results locally.

Reasonable to install if you want product recommendations. Product searches will be sent to search/review services, recent product names and prices may be cached locally for six hours, and the cache-clearing command should only be run when you intentionally want to delete this skill's cached files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Scope Creep

Medium
Confidence
92% confidence
Finding
The manifest declares no file requirements, yet the skill instructs writing cached results to ~/.openclaw/cache/best-products/. This creates a capability mismatch: operators and policy engines may believe the skill is read-only when it actually persists data to disk, reducing transparency and potentially bypassing consent or sandbox expectations.

Scope Creep

Medium
Confidence
86% confidence
Finding
The manifest states no environment requirements, but the skill documentation says it reads system timezone at runtime. Even though timezone access is relatively low sensitivity, it is still undeclared environmental access and can undermine least-privilege assumptions and auditing of what the skill actually reads from the host.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
- **Format:** `{product}-{region}.json` (e.g., `earbuds-nl.json`)
- **TTL:** 6 hours
- **Check:** Always check cache first; if stale/missing, fetch fresh data
- **To disable/clear:** `rm -rf ~/.openclaw/cache/best-products/` — cache is optional, not required
- **Privacy note:** Cached data is only product names and prices, no personal information

## Link Verification (MANDATORY)
Confidence
88% confidence
Finding
rm -rf ~

Tool Parameter Abuse

High
Category
Tool Misuse
Content
- **Format:** `{product}-{region}.json` (e.g., `earbuds-nl.json`)
- **TTL:** 6 hours
- **Check:** Always check cache first; if stale/missing, fetch fresh data
- **To disable/clear:** `rm -rf ~/.openclaw/cache/best-products/` — cache is optional, not required
- **Privacy note:** Cached data is only product names and prices, no personal information

## Link Verification (MANDATORY)
Confidence
88% confidence
Finding
rm -rf ~/.openclaw/cache/best-products/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal