ClawHub

Pinduoduo Automation

Security checks across malware telemetry and agentic risk

Overview

This Pinduoduo store automation skill is not clearly malicious, but it requests merchant credentials and advertises live business-changing automation without enough controls or complete reviewable implementation.

Review carefully before installing. Do not enter real Pinduoduo production credentials unless the publisher provides the missing implementation, documents least-privilege API scopes, and adds explicit confirmations or dry-run previews for product, order, pricing, promotion, and logistics changes. Test only with a limited account or non-production token.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises automated shop operations such as product listing changes, inventory synchronization, and order processing, but it does not warn users that these actions can directly modify live store data and business workflows. In an e-commerce context, silent or poorly understood automation can cause unintended listing changes, stock errors, fulfillment mistakes, or account-impacting operational actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes dynamic pricing and marketing automation, including pricing strategies, detail-page generation, and customer-facing reply templates, without warning that it may automatically alter prices or publish content visible to customers. In this context, unintended automation can create financial loss, misleading listings, reputational damage, or policy/compliance issues if generated content or pricing changes are applied without review.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal