ClawHub

Skill Price

Security checks across malware telemetry and agentic risk

Overview

This is a coherent competitor price-monitoring skill that discloses its API key use, external pricing APIs, local report storage, and alerting features.

Install only if you trust YunlvAI with your TradeGPT API key and the business pricing context you provide. Configure monitored products, competitors, alert recipients, frequency, retention, and data sources deliberately, and avoid monitoring sources you are not authorized to access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes broad terms like "价格分析", "市场价格", and "competitive pricing", which can cause the skill to activate for generic pricing discussions rather than explicit competitor-monitoring tasks. Unintended invocation is dangerous here because the skill is capable of calling external APIs and sending alerts, so over-broad activation can lead to unnecessary data disclosure, user confusion, or actions being taken in the wrong workflow.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill mentions email and WhatsApp alerts but does not present a clear up-front user warning that enabling alerts will transmit analysis data to external communication channels. This is risky because pricing intelligence and monitoring outputs may contain sensitive business information, and users may enable notifications without understanding that data leaves the local skill environment.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list contains generic pricing terms such as '价格分析', '市场价格', and 'competitive pricing' that can match normal business discussion rather than a clear request to invoke this skill. This increases the chance of over-broad auto-selection, causing the agent to activate external price-monitoring functionality and potentially send user context to third-party services when the user did not explicitly intend that behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manifest declares use of an authenticated external API and external data services, but it does not disclose to users that their prompts, product details, or market data may be transmitted to third-party endpoints for processing. In a pricing-intelligence context, this can expose sensitive business strategy information, competitor targets, or product identifiers without informed consent, especially if the skill is auto-triggered.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal