ClawHub

Buy Anything

Security checks across malware telemetry and agentic risk

Overview

This purchase skill is financially sensitive, but its payment, shipping, external API, and optional memory behavior are disclosed and aligned with buying products.

Install only if you trust Rye, BasisTheory, and the store checkout flow. Set a spending limit, review the final item and total before confirming, and avoid saving the payment token unless you specifically want faster future purchases.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Memory PoisoningPersistent Context Injection, Context Window Stuffing, Memory Manipulation
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The README advertises broad activation phrases like "buy", "order", or "purchase" with a store link, which can easily overlap with ordinary conversation and cause the purchasing skill to activate in contexts that are not explicit checkout intent. In a skill that can collect shipping details, reuse saved payment tokens, and place real orders, ambiguous triggering materially increases the risk of unintended purchases or socially engineered order flows.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation guidance includes generic triggers like 'buy', 'order', or 'purchase' with a store link, which can cause the skill to engage in broad shopping contexts beyond clearly validated Amazon/Shopify product pages. In a purchase-capable skill, overbroad invocation increases the chance of unintended transactional flows, misuse with unsupported URLs, or social-engineering-induced checkout attempts before the store context is properly verified.

External Transmission

Medium
Category
Data Exfiltration
Content
Stream the request body to `curl` over stdin using a quoted heredoc. The single-quoted delimiter stops the shell from expanding anything inside the body, so user-supplied values (product URL, names, address, token) pass through verbatim. Use this pattern exactly — no files are created, nothing is interpolated into the command:

```bash
curl -s -X POST https://api.rye.com/api/v1/partners/clawdbot/purchase \
  -H "Content-Type: application/json" \
  --data @- << 'END_RYE_ORDER_BODY_a7f3d2e9b5c1'
{
Confidence
88% confidence
Finding
curl -s -X POST https://api.rye.com/api/v1/partners/clawdbot/purchase \ -H "Content-Type: application/json" \ --data

External Transmission

Medium
Category
Data Exfiltration
Content
Stream the request body to `curl` over stdin using a quoted heredoc. The single-quoted delimiter stops the shell from expanding anything inside the body, so user-supplied values (product URL, names, address, token) pass through verbatim. Use this pattern exactly — no files are created, nothing is interpolated into the command:

```bash
curl -s -X POST https://api.rye.com/api/v1/partners/clawdbot/purchase \
  -H "Content-Type: application/json" \
  --data @- << 'END_RYE_ORDER_BODY_a7f3d2e9b5c1'
{
Confidence
88% confidence
Finding
https://api.rye.com/

Persistent Context Injection

Medium
Category
Memory Poisoning
Content
## Spending Limit

Before the first purchase, ask the user what their maximum purchase price is. Store this in memory.
- If an order total (including any fees) exceeds the limit, warn the user and ask for confirmation
- User can say "no limit" to disable this check
Confidence
86% confidence
Finding
Store this in memory

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal