Security audit

Alibaba Factory Finder

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Alibaba supplier-search helper with disclosed tracking parameters and no evidence of hidden credential access, persistence, or broad destructive behavior.

Installers should know that Alibaba search queries will be included in Alibaba URLs and that links intentionally carry an analytics/attribution parameter. Ordinary users do not need to run release.sh; only run it if you intend to publish this skill package to ClawHub.

SkillSpector

By NVIDIA

Vulnerability Patterns

Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: This shell script deletes an existing package file, repackages the skill, and publishes it via a CLI command, but provides no warning, confirmation, or explanatory comments about the destructive and externally affecting actions. The only user-facing messages are generic status echoes, which do not disclose the deletion or remote publish behavior in a safety-relevant way.

Tool Parameter Abuse

High

Category: Tool Misuse
Content: cd "$SKILL_DIR" # Repackage rm -f $SKILL_NAME.skill 2>/dev/null || true python3 scripts/package_skill.py . mv .skill $SKILL_NAME.skill
Confidence: 95% confidence
Finding: rm -f $SKILL_NAME.skill 2>/dev/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal