ClawHub

Product Opportunity Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill coherently analyzes Amazon reviews, with disclosed Bright Data scraping and local output, but users should protect API keys and understand the third-party data flow.

Install only if you are comfortable sending Amazon product URLs and review requests to Bright Data. Use a scoped Bright Data API key, avoid passing secrets in shared shell history or process lists, and run the helper script only when you intend to create or overwrite extracted_reviews.json.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill performs network access to a third-party review scraping service and indicates persistence of raw review data, yet no explicit permissions or user-facing disclosure are declared. Hidden capabilities increase the chance of unauthorized data handling, make review and consent harder, and can enable unintended exfiltration or local data retention beyond the user's expectation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill claims to analyze Amazon reviews for opportunity discovery, but its behavior also includes sending data to a third-party scraping provider and writing extracted review data to local storage, which is not clearly disclosed in the declared purpose. This mismatch is dangerous because users and reviewers cannot accurately assess data flows, retention, or compliance risk, especially when third-party collection and local persistence are involved.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal