ClawHub

Etsy Digital Sales

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it should be reviewed carefully because it directs live Etsy store automation using OAuth credentials without clear confirmation or safety boundaries.

Install only if you are comfortable giving an agent Etsy account automation authority. Before use, keep credentials in a secure settings or secret manager, avoid pasting tokens into source files or logs, and require explicit confirmation for creating listings, renewing paid listings, or messaging customers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill is described as a broad automation capability for operating an Etsy store, but it does not define clear boundaries for when it should or should not act. In practice, this can lead to overbroad invocation and unintended account actions such as creating listings, renewing items, or sending follow-up messages without sufficiently explicit user intent or constraints.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to store Etsy API keys and OAuth tokens but does not warn about the sensitivity of those credentials or the risks of long-lived token storage. If mishandled, these secrets could allow unauthorized access to the Etsy account, including listing management and other seller actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises browser and API automation for listing, auto-renewal, and review follow-up, but it does not clearly warn that these are real account-changing actions that may trigger marketplace policy, billing, or reputation consequences. Users may enable the skill without understanding that it can spend money on renewals, message customers, and alter storefront state.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal