ClawHub

淘宝客全能工具箱

Security checks across malware telemetry and agentic risk

Overview

This is a coherent affiliate-link toolkit, but it needs review because it publishes concrete-looking monetization identifiers and describes account-affecting automation without clear user control.

Review before installing. Replace every published API key, SID, union ID, PID, and affiliate identifier with your own verified values, treat them as sensitive, and only run reviewed scripts from a trusted source. Do not allow price-protection or refund-related actions unless the agent asks for explicit confirmation first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The documentation instructs users to place real affiliate and API identifiers in a shared env file and describes capabilities such as auto price protection, commission tracking, and high-commission link conversion. Even though this is only documentation, it normalizes use of broad monetization credentials that could be reused by scripts for account-level actions beyond simple link conversion, increasing the blast radius if the skill or adjacent code is compromised.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file includes what appear to be actual API/app identifiers and affiliate IDs directly in the setup example, and it does not label them as placeholders or sensitive values. Publishing or encouraging hardcoded secret-like values can lead to credential misuse, unauthorized API consumption, account abuse, or operators accidentally reusing exposed identifiers.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises automatic link conversion, price comparison, and affiliate processing but does not disclose that user-supplied links, tokens, and related product metadata may be transmitted to third-party services such as Zhetaoke or platform affiliate APIs. This creates a privacy and consent gap: users may unknowingly submit shopping activity or identifiers to external processors.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal