Security audit

ClawMart 我的AI店铺

Security checks across malware telemetry and agentic risk

Overview

This is a real ClawMart store-management skill, but it can make live business changes with broad triggers and limited confirmation guidance.

Install only if you intend to let the assistant manage a live ClawMart seller account. Confirm the API URL before logging in, avoid reusing sensitive credentials with self-hosted endpoints you do not control, manually confirm deletes and booking-status changes, and remove /tmp/clawmart_token.txt when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill manifest describes store-management functions, but the body also exposes booking-management operations outside that declared scope. This scope expansion can cause the agent to perform actions on booking data the user did not intend to authorize, increasing the chance of over-broad invocation and unintended business-impacting changes.

Vague Triggers

High

Confidence: 97% confidence
Finding: The trigger language is extremely broad, including generic phrases like 'my store' or anything that sounds like operating a store, which can cause unintended invocation for unrelated requests. In an agent setting, over-broad routing is dangerous because it may collect credentials or perform live backend mutations when the user only wanted general advice or information.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill advertises destructive capabilities like editing and deleting store data without warning that actions affect live production content. Without explicit confirmation boundaries, an agent may execute irreversible changes to products, photos, notes, or profile data based on ambiguous user phrasing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.