ClawHub

Digital Product Listing

Security checks across malware telemetry and agentic risk

Overview

This is a text-only writing helper for marketplace listings, with no evidence of code execution, account access, persistence, or hidden data handling.

Safe to install as a copywriting aid, but review generated marketplace claims, tags, platform compliance, licensing statements, and prices before publishing. Users outside GBP markets should adjust the currency and pricing recommendations manually.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill activates on a very generic condition: any user describing a digital product. That broad trigger can cause unintended invocation on ordinary e-commerce or product-description requests, leading the agent to take over workflows the user did not explicitly ask for and potentially produce misleading marketplace-specific content without sufficient confirmation. In this context the issue is not directly exploitative, but it increases the chance of misrouting, overreach, and incorrect automated output.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
The summary format hard-codes pricing in GBP (£X – £Y), which can mislead users in other locales or marketplaces and cause inconsistent or inaccurate pricing recommendations. In a commerce-related skill, currency assumptions can create user confusion, bad listings, and pricing mistakes, though the security impact is limited compared with code execution or data exfiltration issues.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal