ClawHub

Shopping Expert

Security checks across malware telemetry and agentic risk

Overview

This shopping helper appears legitimate, but it sends searches and any local-search location you provide to SerpAPI or Google Places.

Install this only if you are comfortable using your own SerpAPI and Google Places API keys and sending shopping queries, preferences, country codes, and any local-search location you provide to those third-party services. Prefer online mode when you do not want to share location details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation text is broad enough to match many ordinary shopping-related requests, making over-invocation likely. When combined with external API use and optional location handling, overly broad triggering can cause unnecessary transmission of shopping queries or location data to third-party services without the user clearly intending to use this specific skill.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation states that SerpAPI and Google Places API keys are required, but it does not clearly warn users that their product queries and, for local or hybrid searches, location data may be sent to those third-party services. This undermines informed consent and can expose potentially sensitive shopping interests or precise locations to external providers.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill sends user-supplied location information to the Google Places API to resolve addresses and search nearby stores without any explicit user-facing disclosure or consent flow. In a shopping skill, this creates a real privacy risk because precise location or address data may be transmitted to an external provider when users may not expect that level of sharing.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal