ClawHub

中国电商搜索

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill openly searches Chinese shopping platforms for product comparison, with privacy considerations but no hidden code, persistence, or destructive behavior.

Install if you want broad Chinese e-commerce price comparison. Before using it, be comfortable with searches opening on multiple third-party shopping sites, and keep login, address, payment, and any order placement under explicit step-by-step confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill requires opening all eight Chinese e-commerce platforms and collecting product links before responding, which can cause broad transmission of user search terms or shared product interests to multiple third-party services without necessity or explicit user consent. This expands privacy exposure, increases tracking/fingerprinting risk, and may trigger logins or region-specific data collection even when the user only needed a narrower comparison.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The instruction '支持中文交流' indicates Chinese-language interaction support, and in context this can steer the agent toward a fixed language mode without checking the user's preference. While not severe on its own, forced or assumed language selection can mislead users, reduce comprehension of risk notices, and make consent around external browsing less meaningful if the user is more comfortable in another language.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal