ClawHub

Etsy Pod Automation

Security checks across malware telemetry and agentic risk

Overview

This skill fits Etsy store automation, but it asks agents to publish listings, post publicly, and retire products without clear approval gates.

Install only if you intend to let an agent operate connected Etsy, Printify, and social-media workflows. Use least-privilege tokens, keep credentials out of version control, start in draft or dry-run mode, and require manual approval before publishing listings, changing prices or tags, retiring listings, or posting publicly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill metadata description is broad enough to match many ordinary e-commerce requests, increasing the chance the agent activates this skill in situations where the user did not explicitly ask for Etsy/Printify automation. Because the skill performs potentially account-affecting actions like listing publication and social posting, overbroad routing can cause unintended external actions or unsafe delegation.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The triggering scenarios are open-ended and action-oriented, but they do not define boundaries, prerequisites, or confirmation requirements. In an agentic environment, this can cause the skill to be invoked for loosely related requests and proceed toward product creation, listing publication, or promotion without sufficiently constrained authorization.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill describes automated use of Printify, Etsy, and social media workflows but does not warn that these actions can publish content, change storefront state, or affect linked external accounts. This is especially dangerous because the workflow includes end-to-end automation from design generation through listing publication and promotion, creating a realistic risk of unauthorized or accidental external actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow automates posting to external social platforms without any explicit user review, confirmation, or dry-run step. That can cause unintended public communications, brand damage, account policy violations, or accidental disclosure of incorrect product information across multiple services.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Automatically creating Etsy listings is an external state-changing action that affects a real marketplace account, inventory, and potentially customer-facing content. Without a warning or confirmation step, the skill could publish inaccurate listings, violate shop policies, or create financial and reputational harm.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Retiring listings via API is a destructive action that can directly remove active products from sale and impact revenue. Because the workflow triggers this based on automated criteria and provides no user-facing warning or approval step, mistakes in metrics, scraping, or logic could cause mass unintended delisting.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal