ClawHub

Market Order Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only order-tracking skill whose customer notification templates fit its stated business purpose, though users should verify recipients and sensitive attachments before use.

Install only in a workspace approved for customer, payment, and shipment information. Treat outbound messages as drafts: verify the recipient and channel, remove unnecessary personal or financial details, and explicitly approve sensitive attachments such as invoices, packing lists, bills of lading, and certificates before sending.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill advertises automatic customer notifications but provides no privacy notice, consent boundary, or data-minimization guidance. Because this workflow handles customer identities, phone numbers, order values, shipping milestones, and commercial documents, automated outbound messaging could leak confidential business or personal data to unintended recipients or through inappropriate channels.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The notification templates and strategy include sending invoices, packing lists, bills of lading, certificates, and shipment details without warning about sensitivity, redaction, or recipient validation. In an order-tracking skill, this materially increases the chance of exposing trade documents, customer contact data, shipment identifiers, and commercial terms via email or messaging apps, enabling fraud, social engineering, or business confidentiality loss.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal