ClawHub

Avito Pro

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Avito API reference, but it should be reviewed because it covers account messaging, webhooks, credentials, and paid-service actions without clear safeguards.

Review before installing if an agent will receive real Avito credentials. Use the minimum required scopes, keep client secrets and bearer tokens out of prompts and logs, require explicit user approval before sending messages, uploading media, changing webhooks, or applying VAS services, and remove webhook subscriptions when they are no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documents state-changing API operations such as sending chat messages, marking chats as read, uploading images, and applying paid services, but it does not warn that these actions can alter user data, customer communications, or account billing state. In an agent setting, omission of side-effect warnings increases the risk of unintended or unauthorized actions being performed with real credentials.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The OAuth section includes client_id, client_secret, authorization codes, and bearer tokens but provides no guidance on secure secret handling, storage, logging, or scope minimization. In an agent workflow, this can lead to credential leakage through prompts, logs, screenshots, shell history, or overbroad token use, enabling unauthorized access to Avito accounts and messages.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal