ClawHub
Back to skill

Security audit

Baixing Agent Cli

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended for real classifieds posting, but it lacks clear safeguards around live publication, user data, and fabricated required fields.

Install only if you intend to let an agent submit real Baixing listings. Before posting, require the agent to show the final listing and obtain explicit confirmation, and do not allow it to invent contact numbers, prices, or locations for live submissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly guides agents to perform live posting actions against an external classifieds service and to initialize/persist a UUID, but it does not require an explicit confirmation step or warn that these actions transmit user data and may create real external side effects. In an agent setting, this increases the risk of unintended publication, privacy leakage, and persistent account/device state changes from routine automation.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The documentation recommends submitting placeholder or inferred values for required fields such as contact number, price, and region when the user has not provided them. This can cause agents to publish false personal data or inaccurate listings to a live marketplace, creating fraud, privacy, and integrity risks that are especially serious because the skill is designed for real external posting.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.