ClawHub
Back to skill

Security audit

Shop

Security checks across malware telemetry and agentic risk

Overview

This shopping skill requests sensitive shopping, account, and payment abilities, but the artifacts disclose them and include user-control and safety gates.

Install only if you are comfortable connecting a Shop account and letting the assistant use Shop/Shopify services for product search, order lookup, checkout, and optional visualizations. Review purchase confirmations carefully, be cautious with delegated spending budgets, and avoid sending photos or precise location details unless they are needed for the task.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The visualization section suggests the assistant may save a user's photo locally on their device, but it does not clearly define consent, retention, access boundaries, or whether saving is optional and user-initiated. Because this skill handles sensitive personal shopping and image data, ambiguous storage language can lead to privacy violations or over-collection of user photos.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guidance explicitly encourages sending buyer signals such as country, region, postal code, language, currency, and free-form intent to the catalog service, while only saying to pass signals the user provided. It does not require explicit user notice, consent, data minimization for sensitive free-text intent, or warn that these fields may reveal personal preferences or location data to a third-party service, creating a real privacy risk in a shopping assistant that may handle sensitive consumer context.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal