ClawHub
Back to skill

Security audit

Product Pricing Scraper

Security checks across malware telemetry and agentic risk

Overview

This is a public price-scraping helper with some overstated capabilities and privacy/compliance caveats, but no hidden or destructive behavior was found.

Install only if you want an agent to fetch public product pricing from retail pages. Provide explicit products or URLs, avoid private or logged-in pages, do not submit sensitive internal URLs or confidential market research unless you accept the disclosure risk, and keep scraping volumes modest and compliant with site rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill promises active web scraping, price tracking, and currency conversion, but the analyzed behavior reportedly does not implement those capabilities and instead mainly processes provided input. This mismatch can mislead users and orchestrators into invoking the skill in situations involving external access or monitoring, creating unsafe assumptions about what data is collected, how results are obtained, and whether outputs are trustworthy.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs users to scrape third-party sites and accept product names or URLs, but it does not clearly warn that those inputs may be transmitted to external websites. This can expose sensitive business interests, internal URLs, or user-supplied data to third parties without informed consent, especially because the skill is explicitly designed to contact external e-commerce domains.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal