ClawHub

Grocery Shopping Assistant

Security checks across malware telemetry and agentic risk

Overview

This grocery checklist skill mostly matches its purpose, but it needs Review because it can send stored grocery data through a Telegram bot to fallback recipients and includes under-disclosed session-pruning tooling.

Install only if you are comfortable giving the skill access to a Telegram bot token and allowing it to send grocery-list contents through that bot. Prefer a dedicated grocery-only Telegram bot with a tight allowFrom list, avoid wildcard script allowlisting where possible, and review or remove the session-pruning script if you do not want the skill package to alter grocery agent session files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill is presented as a normal conversational grocery checklist with Telegram UI support, but the described behavior expands into a standalone Telegram bot that polls, parses free-form messages itself, directly sends/edits/deletes messages, reads bot secrets from local config, and manipulates agent session files. This mismatch is dangerous because it conceals materially broader authority and attack surface than users would expect, reducing informed consent and making it easier for a seemingly simple skill to access secrets, perform network actions, and modify unrelated local state.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
When `render-telegram` is invoked without an explicit target, the script broadcasts checklist content to all prior active-view targets or falls back to every `allowFrom` identity in config. That can disclose pantry/shopping data to unintended recipients and turns a seemingly targeted action into a multi-recipient send, which is more dangerous in an agent context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal