ClawHub

Product Detail Page Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed guide for using an external product-page service, with the main caution that uploaded or emailed product materials and published pages may leave your control.

Install only if you are comfortable using show.3diy.world and emailing product materials to the listed provider. Do not upload unreleased, confidential, regulated, or customer-identifying images unless you have authorization and understand the provider's retention and sharing practices. Review generated pages before publishing and assume share links or QR codes may be reachable by anyone who receives them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation instructs users to upload product images into a third-party web platform and use AI analysis, but it provides no warning about what data may be transmitted, stored, retained, or reused by the service. This can lead to inadvertent disclosure of proprietary product assets, customer data, or regulated images, especially because the workflow encourages direct upload as a normal step.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The publish workflow explicitly tells users to obtain a share link and QR code but does not warn that publication may make the generated page accessible to unintended audiences. Without an exposure warning or visibility controls, users may accidentally disclose unreleased marketing content, internal product details, or copyrighted assets.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to send product descriptions and image attachments to an external email address, but it provides no disclosure about who receives the data, how it is stored, whether it is shared with third-party AI platforms, or whether sensitive business information should be excluded. This creates a real privacy and data-handling risk, especially because product images and descriptions may contain confidential product plans, customer data, branding assets, or unreleased commercial material.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal