ClawHub

Evenrealities Tracker

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it checks Evenrealities order status, stores local history, and can be run on a schedule, with privacy caveats but no evidence of hidden or malicious behavior.

Install only if you are comfortable storing email/order IDs and status history in local plaintext files, submitting that information to Evenrealities on each check, installing Playwright browser components, and optionally running a daily cron job. Keep the memory files out of version control and shared folders, and remove the cron job when you no longer want automated checks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The skill description and body materially disagree about what the skill does and how it does it, including undisclosed reads from `memory/evenrealities-orders.json`, use of Playwright instead of `fast-browser-use`, and inaccurate claims about Telegram delivery. Behavior mismatches reduce operator trust, can hide data flows from users, and make it easier for risky functionality to be overlooked during review or deployment.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to store email addresses, order IDs, and status history in local memory files and automate browser-based checks, but it does not warn about retention, local file sensitivity, notification leakage, or access controls. This can lead users to persist personal order data insecurely or expose it through logs, backups, shared machines, or messaging integrations such as Telegram.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill automates submission of user email addresses and order IDs to a third-party site, but the description lacks a prominent privacy warning about that external transmission. This can cause users to provide personal order-tracking data without informed consent, especially in automated cron-based operation where data is transmitted repeatedly over time.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal