ClawHub

flipkart seller dashboard

Security checks across malware telemetry and agentic risk

Overview

This seller-operations skill appears legitimate, but it can make live marketplace changes and send business data through external channels without enough visible guardrails.

Install only if you are comfortable granting seller-account API access. Use least-privilege API keys, enable only the marketplaces and notifications you need, confirm that price/order-changing actions require explicit approval, and avoid sending sensitive seller metrics to WhatsApp unless the recipient and data fields are clearly controlled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill explicitly promises automatic WhatsApp summaries and ongoing competitor/Buy Box monitoring, which implies transmitting potentially sensitive seller business data to external services. Without a clear warning and consent boundary, users may not understand that order, inventory, pricing, and performance data will leave the primary platform and be shared with third-party APIs or messaging channels.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documented command to update prices can modify live marketplace listings, directly affecting revenue, competitiveness, and customer-facing offers. Because the skill presents this as a chat command without a prominent warning about real-world side effects and confirmation safeguards, accidental or manipulated commands could cause immediate business harm.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal