ClawHub

iwant.fyi

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent shopping integration, but it asks agents to create and store a service API key and to send shopping activity events to iwant.fyi without clear user consent controls.

Review before installing. Use it only if you are comfortable sending shopping searches and product constraints to iwant.fyi, storing a service API key, and potentially storing persistent wants remotely. Agents using this skill should ask before posting wants or reporting views, clicks, checkout starts, or purchases.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to create an external account and obtain/store an API key automatically, without explicit user consent or a warning that credentials are being created for a third-party service. This can lead to silent account creation, unmanaged secret storage, and unexpected linkage between user activity and an external provider.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The search flow tells the agent to send user intent, product constraints, pricing, and possibly location-adjacent preferences to an external HTTP service without an upfront privacy notice. Even if this is core functionality, transmitting user shopping intent to a third party without disclosure creates privacy and consent risk.

Missing User Warnings

High
Confidence
97% confidence
Finding
Posting a persistent want stores user-provided content remotely over time, including product interests and potentially location data, yet the skill lacks a direct warning about persistence and remote retention. Because this creates an enduring record under a claimed owner, the privacy impact is materially higher than ephemeral search.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill directs the agent to report user behavior events such as views, clicks, checkout starts, and purchases to an external service for attribution, but does not clearly disclose this tracking to the user. Behavioral telemetry is sensitive because it reveals commercial interests and actions beyond the original search request.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal