ClawHub
Back to skill

Security audit

星罗好货电商CPS助手

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed shopping affiliate assistant that sends product searches or links to its declared service to return prices, coupons, affiliate links, and commission information.

Install only if you are comfortable using this provider for shopping affiliate workflows. Your searches, product links or Taobao tokens, and LINKBOT_API_KEY are sent to linkbot-api.linkstars.com, and responses may include promotion links and commission rates. Configure your own key if you want commissions attributed to your account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The invocation guidance is very broad, covering generic shopping intents like asking for prices, recommendations, discounts, or product searches. This can cause the skill to trigger on ordinary conversations and send user queries or links to an external service unnecessarily, increasing privacy exposure and the chance of unintended affiliate-link generation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script sends user-supplied search terms and the configured API key to an external service, but provides no user-facing notice that data and credentials are being transmitted off-host. In an agent/skill context, silent outbound requests can violate user expectations and privacy boundaries, especially when the input may contain sensitive product links, tokens, or identifiers.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The URL lookup path transmits arbitrary user-provided links or Taobao tokens plus the API key to a third-party endpoint without any explicit disclosure at runtime. This is more sensitive than plain keyword search because pasted links or tokens may embed tracking parameters, affiliate data, or private referral information that the user may not realize is being shared.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal