ClawHub

Global Price Comparison

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed price-comparison helper that uses optional search APIs and local CSV files without hidden persistence or destructive behavior.

Install only if you are comfortable with product search terms being sent to Brave or Tavily when using discovery, and use limited API keys for those providers. For local CSV comparison, the artifact shows ordinary file reads/writes and exchange-rate lookup with no hidden persistence or destructive behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation instructs users to run a Python script that uses environment variables, reads and writes local files, and performs network requests, but the skill declares no permissions. This creates a transparency and policy-enforcement gap: an agent or reviewer may treat the skill as low-privilege while it can actually access API keys, exfiltrate local data via networked requests, or overwrite files if the backing script is modified or behaves unexpectedly.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
User-supplied product queries are transmitted to external search providers, which can expose potentially sensitive research interests or proprietary product names without explicit disclosure at runtime. In an agent skill context, this matters because users may assume local processing while the skill actually sends their input to third-party services.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The Tavily code path sends the full user query to a third-party API with no visible consent or warning in the script flow. This creates a privacy and data-governance risk, especially if users enter confidential product identifiers, internal codenames, or sensitive procurement interests.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal