ClawHub

SellToAI Moras Shop

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real shopping recommendation skill, but it needs Review because it sends user context to a commerce service and its installer persistently installs remote instructions into several agent environments at once.

Install only if you are comfortable with shopping intent and summarized preference or recipient context being sent to SellToAI. Prefer manually installing a reviewed SKILL.md into the one agent you intend to use instead of running install.sh, and review any buy links because attribution query parameters are intentionally preserved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The installer writes the downloaded skill file into multiple local agent skill directories, expanding its reach well beyond a single host integration. That broad persistence behavior increases attack surface because a compromised or replaced remote SKILL.md would automatically propagate into several agent environments on the machine.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The script implements cross-agent installation logic that is not necessary for a shopping skill's stated purpose and creates unnecessary privilege over multiple agent ecosystems. If the remote content is malicious or later changed, the script becomes a distribution mechanism that seeds the same untrusted skill into several tools at once.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example instructs an agent to send a live request to a third-party service (`selltoai.ai`) and includes a creator identifier plus channel metadata, but it provides no notice about what user or contextual data may be transmitted externally. In an agentic shopping skill, this can cause silent disclosure of user intent, preferences, or session-derived context to an external vendor, which is a real privacy and trust issue even if the request appears routine.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example transmits structured personal context, including region, budget, recipient relationship, age band, occasion, and preferences, to an external API endpoint without any visible consent flow, minimization guidance, or privacy notice. Although the data is not extremely sensitive on its face, it is still user-derived profiling data about a child recipient and shopping intent, and could be logged, retained, or reused by the third-party service.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script silently downloads remote content and writes it into multiple agent directories without prominent warning, confirmation, or explanation of side effects. This makes social-engineering-driven installation easier and reduces the user's ability to notice that persistent changes are being made across several local agent configurations.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal